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Evaluation techniques' 


Assessor 


Benchmark 


Framework 


Impact assessment 


Likelihood 


Method 


Template 


Probability 


the actor who performs an assessment process, be it in-house 
(internal) or outsourced (external). 


a societal concern or concerns (that is, a matter or matters of 
interest or importance) that is/are in a need of governance and 
management, including its/their protection and promotion. 


an “essential supporting structure”? or organisational arrange- 
ment for an evaluation technique, which defines and describes 
the conditions and principles thereof. 


an evaluation technique used to analyse the possible consequen- 
ces of an initiative for a relevant societal concern or concerns, 
if this initiative could present danger to these concerns, with a 
view to supporting an informed decision on whether to deploy 
the initiative and under what conditions, and constitutes — in the 
first place — a means to protect those concerns.’ 


a “chance of something happening [...], whether defined, measu- 
red or determined objectively or subjectively, qualitatively or quan- 
titatively, and described using general terms or mathematically 
(such as a probability or a frequency over a given time period).”* 


a “particular procedure for accomplishing or approaching some- 
ing." organising the practice of impact assessment and defi- 
ning the consecutive or iterative steps to be undertaken in order 
to carry out the assessment process; a method corresponds to a 


framework, and can be seen as a practical reflection of it. 


a practical aid for the assessor, taking the form of a schema to 
be completed following the given method and, upon completion, 
serving as a final report stemming from the assessment process.° 


a “measure of the chance of occurrence expressed as a number be- 


tween 0 and 1, where 0 is impossibility and 1 is absolute certainty”’ 


Risk 


Severity 


the “magnitude of the damage, harm, etc: 
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an “effect of uncertainty on objectives. [...] An effect is a devia- 


tion from the expected. It can be positive, negative or both, and 


can address, create or result in opportunities and threats?’ 
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Privacy and personal data protection 


Accountability 


Consent 


Data controller 


Data processor 


Data subject 


Directive 


Data protection 
impact assessment 


a twofold legal obligation for the data controller to take appropria- 
te and effective measures to implement data protection principles, 
and to demonstrate, upon request, that appropriate and effective 
measures have been taken, thus providing evidence thereof. 


any freely given, specific, informed and unambiguous indication 
of the data subject’s wishes by which they, through a statement 
or clear affirmative action, signify agreement to the processing of 
personal data relating to themselves." 


the natural or legal person, public authority, agency or other 
body that, alone or jointly with others, determines the purposes 
and means of the processing of personal data.” 


a natural or legal person, public authority, agency or other body 
that processes personal data on behalf of the controller." 


an identifiable natural person, that is, one who can be identified, 
directly or indirectly, in particular by reference to an identifier 
such as a name, an identification number, location data, an on- 
line identifier, or to one or more factors specific to the physical, 
physiological, genetic, mental, economic, cultural or social iden- 
tity of that natural person." 


a legislative act of the EU, which sets out a goal that all EU Mem- 
ber States must achieve, while allowing the individual countries 
to devise their own laws on how to reach these goals." 


a type of impact assessment; in the EU, a legal obligation of the 
data controller, prior to the processing, to carry out an assessment 
of the impacts of the envisaged processing operations on the pro- 
tection of personal data, where a type of processing in particular 
using new technologies, and taking into account the nature, scope, 
context and purposes of the processing, is likely to result in a high 
risk to the rights and freedoms of natural persons (data subjects).!° 
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Personal data 


Processing of 
personal data 


Profiling 


Recommendation 


Regulation 


Security of processing 


Special categories of 
personal data 


Supervisory authority 
(data protection 
authority) 


Glossary 


any information relating to an identified or identifiable natural 
person (data subject).'” 


any operation or set of operations performed on personal data 
or on sets of personal data, whether or not by automated means, 
such as collection, recording, organisation, structuring, storage, 
adaptation or alteration, retrieval, consultation, use, disclosure 
by transmission, dissemination or otherwise making available, 
alignment or combination, restriction, erasure or destruction.’ 


any form of automated processing of personal data consisting 
of the use of personal data to evaluate certain personal aspects 
relating to a natural person, in particular to analyse or predict 
aspects concerning that natural person’s performance at work, 
economic situation, health, personal preferences, interests, relia- 
bility, behaviour, location or movements.’ 


a non-binding legislative act of the EU, which enables the EU 
institutions to express a view to EU Member States, and in some 
cases, to individuals.” 


a legislative act of the EU, binding in its entirety and directly ap- 
plicable within all EU Member States 7 


a legal obligation of the data controller and the data processor to 
implement appropriate technical and organisational measures to 
ensure a level of security of personal data appropriate to the risk, 
taking into account the state of the art, the costs of implementati- 
on and the nature, scope, context and purposes of processing, as 
well as the varying likelihood and severity of risks for the rights 
and freedoms of natural persons.” 


personal data revealing racial or ethnic origin, political opinions, 
religious or philosophical beliefs, or trade union membership, 
and the processing of genetic data, biometric data for the pur- 
pose of uniquely identifying a natural person, data concerning 
health, or data concerning a natural persons sex life or sexual 
orientation.” 


a relevant public body (that is, an independent regulatory agen- 
cy) empowered to perform specific functions in the field of per- 
sonal data protection;™ its roles usually include: ombudsmen, 
consultants, negotiators, auditors, educators, policy advisers, 
and enforcers.” 
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Ethics and social acceptance 


Anticipatory methods techniques of governance that aim to anticipate possible future 


Applied ethics 


Consequentialism 


Deficit model 


Deontology 


Descriptive ethics 


consequences by tackling impacts of technologies before they 
materialise and by influencing future decision-making.” 


the practical application of normative theories to concrete con- 
troversial cases by performing rigorous philosophical reasoning 
to solve dilemmas or guide decision-making; the most establis- 
hed forms of applied ethics are currently bioethics, business 
ethics, computer ethics and environmental ethics; emerging 
fields are robo-ethics, big data ethics and artificial intelligence 
(AI) ethics. 


a set of theories stating that actions are right or wrong only on the 
basis of their outcomes (that is, consequences); in other words, 
among the possible actions available, one chooses the option that 
maximises the expected outcomes. 


“the orthodox assumption [...] found amongst most policy-ma- 
kers and scientists that the general public lack[s] sufficient know- 
ledge and understanding of basic science and technology”;” this 
lack of knowledge, in turn, produces scepticism or hostility to- 
wards science and technology. 


a set of theories that defines rules on the basis of fundamental 
moral principles, rather than the consequences of an action; an 
action is morally right if it conforms to certain duties, rights, 
prohibitions, or responsibilities, and/or if the actor has certain 
intentions, regardless of the consequences of such an action; 
roughly, the definition of duty precedes that of what counts as 
“good”. 


a form of empirical research describing existing norms or ways 
to discuss moral issues;”* it describes people’s beliefs about mo- 
rality (which can originate from traditions, habits, education or 
personal attitudes) at a given time in a given place, as a form 
of sociological, ethnographical or (neuro)psychological inquiry; 
examples of descriptive ethics come from neuroscience, whe- 
re moral thoughts and emotions are described in terms of the 
neural circuits that are activated when people engage in moral 
thinking.” 
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Distributive justice 


Ethics 


Engagement model 


Function creep 


Metaethics 


Normative ethics 


Principles 


Glossary 


a set of theories based on the idea of “fairness in distribution” or 
“what is deserved”; an action is therefore morally wrong whene- 
ver some benefit to which a person is entitled is denied (without 
any compelling reason) or whenever there is an unequal distri- 
bution of benefits and burdens. 


a branch of philosophy that deals, roughly, with a rational and 
practical reflection on what is good or bad and right or wrong; 
“ethics” is a synonym for moral philosophy. 


the theoretical account in which individuals are not only “in- 
structed” but also involved in a dialogue with scientists and poli- 
cy makers;* the idea is that participation is moved “upstream”! 
by taking the lay knowledge of the citizens seriously and possibly 
achieving a two-way dialogue between them and scientists. 


the deployment of a specific initiative (for example, a border 
control technology) for the purpose for which it was not origi- 
nally intended.” 


the study of a wide range of metaphysical, epistemological or psy- 
chological presuppositions related to moral language, thought 
and practice, regardless of particular substantive debates about 
morality; for example, in a debate on the validity of ethical prin- 
ciples, the European Commission (EC) has been supportive of 
an idea of a global framework for ethics of Artificial Intelligence 
(AI) that goes beyond particularities, and which could possibly 
become globally applicable.* 


the study of the criteria or principles that one should follow to act 
morally; of the consequences that one should take into account 
when making a decision that is morally laden; or, more generally, of 
the type of life one should live to be fulfilled or serve as an example 
to others; in the technology discourse, an exemplary debate is that 
of self-driving cars with reference to the famous trolley dilemma;™ 
the basic idea is that an autonomous car will have to face moral di- 
lemmas and therefore take morally charged decisions; the outcome 
of these decisions would - crucially - depend on the normative 
theory that the programmer would “inscribe” in the software. 


in ethics, propositions that provide general or abstract guidance 
for action, typically formulated in sentences such as “You should 
(not) do X” or “You should respect Y”. 


19 


Rules 


Social acceptance 


Stakeholder 


Values 
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in ethics, indications of what individuals ought (not) to or are 
(not) allowed to do in a given situation. 


“the fact that a new technology is accepted - or merely tolerated 
- by acommunity”;® to accept, in turn, refers to the act of recei- 
ving something that is offered, of giving an affirmative reply to it, 
and accommodating to it with approval.” 


“someone who holds a stake (interest) in something, regardless 
of whether or not he or she is aware of this and of whether the 
interest is articulated directly or not”*’ 


indications of the extent to which someone cares about an object 
or action, for example dignity, solidarity or equality.** 


Border management 


Border checks 


Border control 


Border crossing points 


Border guard 


Border surveillance 


checks carried out at border crossing points to ensure that per- 
sons, including their means of transport and the objects in their 
possession, may be authorised to enter the territory of a state or 
authorised to leave 12 


activity carried out at a border, exclusively in response to an in- 
tention to cross or the act of crossing that border, regardless of 
any other consideration, consisting of both border checks and 
border surveillance.” 


crossing points authorised by the competent authorities for the 
crossing of (external) borders.” 


a public official assigned, in accordance with national law, to a 
border crossing point, along a border, or in the immediate vici- 
nity of that border, who carries out border control tasks, in ac- 
cordance with law.” 


the activity of surveillance of borders between border crossing 
points and the surveillance of border crossing points outside the 
fixed opening hours, with the aim of preventing persons from 
circumventing border checks;* in a broader — but not strictly 
legal - sense, other activities happening before the border that 
target individuals and groups (for example, monitoring of sea 
corridors and of social media to identify migration routes) can 
be considered border surveillance.“ 
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Dual-use items 


ECRIS-TCN 


EES 


EU large-scale 
databases 


Eurodac 


Glossary 


items, including software and technology, which can be used for 
both civil and military purposes, including all goods that can be 
used for both non-explosive purposes and that can assist in any 
way in the manufacture of nuclear weapons or other nuclear ex- 
plosive devices.“ 


the European Criminal Records Information System for Third 
Country Nationals, the EU’s large-scale database that will sup- 
plement the existing EU criminal records database (ECRIS) on 
non-EU nationals convicted in the European Union; based on 
a centralised hit/no-hit system, it will allow Member States au- 
thorities to identify which other Member States hold criminal 
records on the third-country nationals or stateless persons being 
checked, so that they can then use the existing ECRIS system to 
address requests for conviction information only to the identi- 
fied Member States 


the Entry-Exit System, the EU’s large-scale database that will 
electronically register the time and place of entry and exit of 
third-country nationals, both those who require a visa and those 
who are visa-exempt, admitted for a short stay, as well as those 
refused entry.“ 


the Schengen Information System II (SIS II), the European Dac- 
tyloscopy (Eurodac), the Visa Information System (VIS), the 
Entry-Exit Systems (EES), the European Criminal Records In- 
formation System for Third Country Nationals (ECRIS-TCN) 
and the European Travel Information and Authorisation System 
(ETIAS). 


the European Dactyloscopy, the EU’s large-scale database for the 
storage of fingerprints of asylum seekers and irregular migrants 
aged 14 and over, which enables Member States to compare the 
fingerprints of asylum applicants in order to see whether they 
have previously applied for asylum or entered the EU irregular- 
ly via another Member State, to determine the responsibility for 
examining an asylum application; since July 2015, Eurodac has 
also been used for law enforcement purposes by Member State 
law enforcement authorities and Europol.* 
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ETIAS 


Europol 


External borders 


Externalisation of 
(European) border 
control 


Internal borders 


Interoperability 


Interpol 


Privatisation of 
border control 
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the European Travel Information and Authorisation System, a 
pre-travel authorisation system for visa-exempt travellers, the 
key function of which is to verify if a third-country national 
meets entry requirements before travelling to the Schengen area, 
enabling pre-travel assessment of irregular migration risks, and 
security or public health risk checks; Member States’ designated 
authorities and Europol will be able to consult data stored in the 
ETIAS Central System for the purposes of the prevention, de- 
tection and investigation of terrorist offences or of other serious 
criminal offences.” 


the European Union Agency for Law Enforcement Cooperation, 
a European agency established with a view to supporting coope- 
ration among law enforcement authorities in the Union.” 


in the Schengen Area, Member States’ land borders, including 
river and lake borders, sea borders and their airports, river ports, 
seaports and lake ports, which are not internal borders.” 


a range of processes whereby the EU and its Member States 
complement policies to control migration across their territorial 
boundaries with initiatives that realise such control extra-terri- 
torially and through countries and organs other than their own.” 


in the Schengen Area, borders exclusively involving the territories 
of Member States of the EU; for example common land borders, 
including river and lake borders; airports for internal flights; sea, 
river and lake ports for regular internal ferry connections.” 


the ability of information technology (IT) systems and of the 
business processes they support to exchange data and to enable 
the sharing of information and knowledge.™ 


the International Criminal Police Organisation, an inter-gover- 
nmental organisation with 194 Member Countries, that ensures 
and promotes mutual assistance between the criminal police au- 
thorities of its members.” 


any measure by a state that delegates the implementation of bor- 
der management to a private actor.” 
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SIS 


Smart Borders 


VIS 


Glossary 


the Schengen Information System, the EU’s large-scale database 
aimed at ensuring a high level of security and facilitating the free 
movement of people within the Schengen Area through three 
areas of cooperation: border control, law enforcement and vehi- 
cle registration; it contains alerts on persons who may have been 
involved in a serious crime or may not have the right to enter 
or stay in the Schengen Area; on missing persons, in particular 
children; on certain property, such as banknotes, aircraft, boats, 
cars, vans, containers, firearms and identity documents, that may 
have been stolen, misappropriated or lost;°” new functionalities 
are being implemented in different stages, with a requirement for 
the work to be completed by 2021.5 


in the EU, automated systems to speed up and facilitate the bor- 
der check procedure of the majority of travellers, and to hinder 
and stop those immigrants that poses a threat to the security of 
the EU through their status as irregular immigrants, criminals 
or terrorists. 


the Visa Information System, the EU’s large-scale database that 
supports Member States’ consular authorities in the management 
of applications for short-stay visas to visit or to transit through 
the Schengen Area; it enables the exchange of visa information 
and the matching of biometric data to verify the authenticity of 
a visa;” the VIS supports the fight against fraud and facilitates 
checks within the territory of the Member States, assisting in the 
identification of any person who may not or may no longer fulfil 
the conditions for entry to, stay in, or residence on the territory 
of the Member States; as ancillary objectives, the VIS supports 
the asylum applications process and contributes to the preventi- 
on of threats to internal security.” 
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This book is occasioned by the convergence of two political occurrences. 

The first is the unprecedented rise in global migration. According to the International 
Organization for Migration’s (IOM) 2020 World Migration Report, 272 million people, or 
roughly 3.5% of the world’s population, are migrants.' The IOM - as well as other com- 
mentators - notes that migration has taken a particularly serious turn in recent years, in 
part as a result of armed conflict (for example, in Syria, Yemen, the Central African Re- 
public, the Democratic Republic of the Congo and South Sudan), economic and/or politi- 
cal instability, and, increasingly, climate change.” This multi-year global evolution and its 
ill-fated transformation into various forms of identity politics has led to the transforma- 
tion of migration from its traditional status as a humanitarian challenge to its new incar- 
nation as a security problem.’ Moreover, the particularity of this new security challenge is 
that it does not prioritise the more-or-less plainly visible security crisis in which migrants 
find themselves, but rather the cultural and, in part, societal security of the recipient states. 
This has strengthened the politically unavoidable hypothesis that solving the problem of 
migration is workable only through addressal of the issue of securing state borders. 

The second occurrence is less concrete and less visible, but nonetheless impacts the 
first in important ways. It involves the growing expectation of immediacy in politics, the 
demand for quicker political decision-making and implementation, especially in the face 
of a perceived danger. Together with the rise of the notion of risk at the end of the last 
century, and the actuarial impulse brought about by the growing global influence of New 
Public Management (an organisational strategy according to which public affairs should 
be governed in accordance with private business models) and the rise of anticipatory po- 
litics, such as the precautionary principle developed in the field of environmental studies, 
it has become a political necessity to foresee and pre-calibrate political processes and the 
impacts they will have upon individuals and societies. 
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This double challenge forms the political, social and technological motivation for the 
development of evaluation techniques and other tools that are used to govern the develop- 
ment and application of new initiatives, including — in this context - border technologies, 
in order to assess their possible impact on societal values such as human rights, including 
- again, particularly in this context — the rights to privacy and personal data protection. 

This book takes a particular interest in new border technologies for two reasons. First, 
such technologies are deployed in environments characterised by a complex interaction 
between societal values and technological constraints. In other words, border technolo- 
gies, having the ambition of allowing for ‘seamless’ or ‘contactless’ passage through state 
borders, are increasingly utilised at borders with the aim of improving the flow of travel- 
lers and facilitating border checks. Experience has shown, however, that their use often 
conflicts with societal values. Second, on the macro-political level, such border techno- 
logies are often a focus of highly contentious debates about identity, sovereignty, security, 
national and European values, resilience, risk, and the fragility of life itself. 

As a result, there is a growing need to accommodate two requirements: the deployment 
of new border technologies and the respect for relevant societal values. 

As a tool by which to help clarify issues within this complex debate, this book pro- 
poses a concept of impact assessment. Alongside the myriad evaluation techniques also 
available, this tool will aid the anticipation of and critical reflection on the possible future 
consequences of envisaged border management initiatives, and contribute to more sound 
decisions being made about their use. 

To that end, this book offers a number of novel aspects. Aiming at comprehensiveness 
and provision of the most robust advice for decision making, it adapts the method of 
impact assessment to the on-the-ground realities and needs of border technologies by 
integrating at least four societal concerns triggered by these technologies, namely: priva- 
cy, personal data protection, ethics and social acceptance. It offers the option of adding 
further concerns and adjusting them to local contexts. It furthermore allows for the inte- 
gration of this four-part impact assessment with other evaluation techniques, for example 
regulatory impact assessment (RIA).* 


+O 


The book is organised into eight Chapters and four Annexes. Chapter 2 proposes an over- 
all introduction to the concept of impact assessment. As the appraisal of consequences 
of initiatives for individuals and society requires a certain degree of suppleness for the 
reading and interpreting of social values, Chapters 3-7 describe the components of the 
benchmark used for integrated impact assessment. In this context, these components are 
the notions of privacy, personal data protection, ethics and social acceptance. Chapter 8 
then presents a tailored method for integrated impact assessment of border control tech- 
nologies, supplemented by methodological indications aimed at supporting assessors and 
other border management actors. 
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These Chapters are followed by four Annexes containing supplementary information 
and aids for users of the book. These include, in Annex 1, a tailored template for a report 
from the process of integrated impact assessment of border control technologies. Annexes 
2-4 provide more specific, detail-oriented information intended to help impact assessors 
in carrying out assessment processes. These include analytic inventories of stakeholder 
involvement techniques (Annex 2), a list of concrete assessment methods (Annex 3) and, 
finally, an inventory of relevant border management legislation applicable in the European 
Union and the Schengen Area (Annex 4). The Chapters and Annexes are preceded by a 
glossary of key terms used throughout the book. In parallel, the book includes copious 
references to academic and professional sources, the majority of which are available in 
open access format. 

In summary, this book constitutes a textbook on the use of integrated impact assess- 
ment. It is addressed to anyone involved in the ‘supply chain’ of border management and, 
in particular, to assessors and those in charge of decision-making pertaining to new bor- 
der technologies. It focuses on the European Union and the Schengen Area, notwithstan- 
ding a possibility for adaptation and use elsewhere in the world. 

The book reflects the law and practice as they stood on 31 March 2021. 


+ OE 


During the creation of this book, we received with gratitude help from - in alphabetical 
order - Simone Casiraghi, Athena Christofi, Diana Dimitrova, Konstantinos Kakavoulis, 
Ioulia Konstantinou, Inge Lindsaar, Giulio Mancini, Petra Molnar, Anna Moscibroda, An- 
net Steenbergen and Eckhard Szimba. We also thank the two anonymous reviewers who 
have contributed to ensuring the scientific quality and integrity of this book in accordance 
with the Guaranteed Peer-Review Content (GPRC) scheme.’ 

This book constitutes the main output of the research project PERSONA (Privacy, ethi- 
cal, regulatory and social no-gate crossing point solutions acceptance; 2018-21),° funded by 
the European Union under its Horizon 2020 programme. 


Paris — Brussels 
April 2021 
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2.1 Introduction 


This Chapter introduces the concept of impact assessment, and thus lays down a foun- 
dation for the present textbook on integrated impact assessment for border control tech- 
nologies. It intends to offer, in an accessible way, an overview of the said concept, eventu- 
ally aiming to constitute a reference work for anybody interested in the topic.’ 

The Chapter is structured as follows: After the present introduction, it outlines the con- 
cept of impact assessment, namely its definition, terminology, and historical development, 
as well as its merits and drawbacks, ultimately exploring the possibility of integrating mul- 
tiple evaluation techniques (Section 2.2). In Section 2.3, it offers 16 principles and condi- 
tions that apply to both the theory and practice of impact assessment (namely, the frame- 
work) and, in Section 2.4, it defines and describes, in a general manner, the consecutive or 
iterative steps to be undertaken in order to carry out an assessment process of any type and 
in any area of practice (namely, the method). This Chapter is to be read in conjunction with 
Chapter 8 and Annex 1, offering a tailored method and template, respectively, for a report 
arising from the process of integrated impact assessment for border control technologies. 

This Chapter builds on the work of Vrije Universiteit Brussel’s (VUB’s) Brussels La- 
boratory for Data Protection & Privacy Impact Assessments (d.pia.lab)* and, wherever 
necessary, revises and updates it. However, nothing in this Chapter is to be considered 
‘final; as the concept of impact assessment is a ‘living instrument; constantly necessitating 
a reflection on the most recent stage(s) of its development. 
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2.2 Impact assessment 


2.2.1 Overview 


Generally speaking, impact assessment is an evaluation technique used to analyse the pos- 
sible consequences of an initiative for a relevant societal concern or concerns (that is, a 
matter, or matters, of interest or importance), to determine whether this initiative could 
present danger to these societal concerns, with a view to supporting an informed decision 
on whether to deploy the initiative and under what conditions, and constitutes - in the 
first place — a means by which to protect those societal concerns.* 

Analogous to the structure of risk management,’ the architecture of impact assessment 
typically consists of three main elements: framework, method and template. A frame- 
work constitutes an ‘essential supporting structure’ or organisational arrangement for 
something, which, in this context, defines and describes the conditions and principles of 
impact assessment. A method is a ‘particular procedure for accomplishing or approaching 
something.’ It organises the practice of impact assessment and defines the consecutive 
or iterative steps to be undertaken in order to carry out the assessment process. A me- 
thod corresponds to a framework and can be seen as a practical reflection of it. Finally, 
a template is a practical aid for the assessor. It takes the form of a schema to be comple- 
ted following the given method. It structures the assessment process, guides the assessor 
through the process and, upon completion, serves as a final report from the process. It 
documents all the activities undertaken within a given assessment process, clarifies the 
extent of compliance with the law, and provides evidence as to the quality of the assess- 
ment process.® 

This architecture is often supplemented by aids such as guidelines (handbooks, manu- 
als), knowledge bases (for example, inventories of possible risks and corresponding coun- 
termeasures), and software to aid assessors in the assessment process by automating parts 
thereof; all such aids vary significantly in their quality and applicability. 

The assessor is the actor who performs an assessment process, be it in-house (internal) 
or outsourced (external). The assessment process frequently necessitates expertise from 
more than a single domain, and hence is to be considered a collaborative activity. The 
team of assessors remains professionally independent from the leadership of a sponsoring 
organisation throughout the assessment process. 

Finally, a benchmark is a societal concern or concerns that is/are in a need of gover- 
nance and management, including protection and promotion, for example privacy and 
personal data protection. 
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2.2.2 History 


While some rudimentary anticipation of consequences has perhaps always been present 
in any form of decision-making, impact assessment and similar evaluation techniques for- 
malised such anticipation of consequences as they grew out of the emergence of new and 
- at the time — poorly understood dangers to individual and collective societal concerns. 
These dangers were typically framed as uncertainty and risk, and it was understood to 
be in the interest of society to reduce them. For example, technology assessment (TA) 
emerged in 1960s in the United States, initially as a tool used by scientific committees to 
respond - largely, by advising policy makers on policy alternatives — to increasing pu- 
blic concerns relating to the negative social consequences of discoveries and inventions. 
TA was subsequently institutionalised as a means to ensure product safety, and gradually 
came to encompass a broader spectrum of issues relating to society and technology." In 
parallel, environmental impact assessment (EIA) surfaced as a response to the gradual 
degradation of the natural environment.” These developments have aided the spread of 
evaluation techniques as a practice worldwide, and have resulted in the proliferation, and 
sometimes institutionalisation, of impact assessment in areas of practice ranging from 
healthcare,” regulation (governance), ethics and surveillance practices'® to privacy” 
and personal data protection. New types and areas of practice of impact assessment may 
well also emerge in the future. 

Nevertheless, some 50 years after the emergence of the first types of impact assessment, 
this evaluation technique still failed to stand out as a clear-cut practice. Only in certain 
areas had it taken hold, such as TA, EIA or regulatory impact assessment (RIA), while 
in other areas it remains under development, for example in the areas of ‘social’ impact 
assessment’? or human rights impact assessment.” 

The emergence and proliferation of privacy impact assessment (PIA) and - subse- 
quently — data protection impact assessment (DPIA) is frequently attributed to four main 
factors, namely: (1) the development of science and technology, and their growing int- 
rusiveness into individual lives and social fabric,” (2) the increasing importance of the 
processing of personal data for contemporary economies, national security, scientific re- 
search, technological development and inter-personal relationships, among others,” (3) 
the process of globalisation and (4) the negative experiences stemming from the use and 
misuse of personal data in the past, in both public and private sectors, and the growing 
awareness of all of these.” 

Based on the experience of evaluation techniques in other areas of practice, it was ex- 
pected that PIA and DPIA would become powerful vehicles for compliance with, and 
enforcement of, privacy and personal data protection law.” PIA — and later DPIA — emer- 
ged in the 1990s and became institutionalised in different forms and at various levels of 
compulsion, first in common law jurisdictions, such as New Zealand, Australia, Canada 
and the United States. In Europe, the earliest policy for PIA was developed in the United 
Kingdom in 2007.” 


33 


Border Control and New Technologies 


The European Union (EU) has thus far put in place two sector-specific voluntary PIA 
policies: the first for radio-frequency identification (RFID) applications (2009), and the 
second for intelligent energy networks (‘smart grids’; 2012-14). In a parallel develop- 
ment, the most recent ‘better regulation’ package (2017) advances privacy and personal 
data protection as just two of the many societal concerns under assessment in the proces- 
ses of EU law- and policy-making; the other being (all other) fundamental rights, environ- 
mental and economic concerns.” 

After the entry into force of the GDPR (2016), the Police and Criminal Justice Data 
Protection Directive (2016),” and Regulation 2018/1725 on the protection of personal data 
processed by EU institutions, bodies, offices and agencies (2018),*° a mandatory policy for 
impact assessment was progressively introduced across the EU in the area of personal data 
protection. (By virtue of the European Economic Area (EEA) Agreement, the GDPR is 
likewise applicable in Norway, Iceland and Liechtenstein.) In addition, the ePrivacy Re- 
gulation, proposed in 2017 and expected to be passed into law in 2021, if adopted in its cur- 
rent wording, would also require a process of DPIA to be conducted in specific situations.” 

This proliferation of mandatory policies for impact assessment in the areas of privacy 
and personal data protection is also observed beyond the EU. The Council of Europe’s 
recently finalised modernisation of ‘Convention 108’ (2018) introduced a similar requi- 
rement; the importance of the said Convention lies in the fact that it is open for signature 
also by non-Member States of the Council of Europe, hence influencing global standard 
setting. At the same time, various policies for PIA and DPIA, or — simply — for risk ap- 
praisal in the areas of privacy and personal data protection, have been introduced recently 
in Serbia (2018)* and Switzerland (2020),** and - beyond Europe - in Israel, Japan, South 
Africa and South Korea, among other states. In addition, a number of international or- 
ganisations, such as the International Committee of the Red Cross,” have introduced a 
requirement for such an assessment process into their by-laws. 


2.2.3 The benefits of impact assessment 


The benefit of impact assessment lies predominantly in its parallel contribution to infor- 
med decision-making and to the protection and promotion of societal concerns. 

The former category, namely informed decision-making, usually attracts sponsoring 
organisations, as it brings with it benefits associated with a switch to anticipatory thinking. 
This permits those organisations to reflect on the consequences of their envisaged initia- 
tives as well as on the means to - at least - minimise, or sometimes even avoid, negative 
and unintended consequences before they occur (‘early warning’), leading to gains both in 
terms of resources and public trust. 

Impact assessment can also ease compliance with legal and otherwise regulatory requi- 
rements (such as technical standards); for example, PIA ‘can be an excellent entry point 
for applying the principles of Privacy by Design.** Being a ‘best-efforts obligation, impact 
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assessment constitutes evidence of due diligence, which can potentially limit or even ex- 
clude legal liability.” In parallel, impact assessment allows sponsoring organisations to ex- 
plain themselves to regulatory authorities (that is, to give account of) as to how they have 
acquitted themselves of certain responsibilities (that is, accountability) often facilitating 
part(s) of the work of such authorities. Eventually, impact assessment, if conducted in a 
transparent manner, may increase public confidence by showing that a sponsoring orga- 
nisation takes societal concerns seriously. In addition, the private sector might be particu- 
larly interested in using impact assessment to demonstrate corporate social responsibility. 

The latter category, namely protection and promotion of societal concerns, is usually 
attractive for public authorities because a requirement to conduct the assessment process 
helps them in fulfilling their mission to offer practical and efficient protection of relevant 
societal concerns (for example, certain human rights, such as privacy or personal data 
protection) for the benefit of the individual and society at large. For individuals and social 
groups, impact assessment is a means to voice their concerns (primarily through stakehol- 
der involvement), which contributes to procedural justice. Impact assessment seeks to 
accommodate diverse interests and consequently contributes to the drawing of a ‘thin red 
line’ between legitimate yet seemingly competing interests, for example national security 
and the protection of personal data (for instance, in DPIA), or the competitiveness of na- 
tional economy and environmental protection (for instance, in EIA). In comparison with 
other protection tools, impact assessment may provide a wider scope in this regard than, 
for example, compliance checks, which can often be reduced to mere ‘tick-box’ exercises. 


2.2.4 The drawbacks of impact assessment 


Critics of impact assessment have argued that it unnecessarily burdens sponsoring organi- 
sations, adding to an already-overgrown bureaucracy, causing unnecessary expenditure and 
delays in decision-making, or even slowing the deployment of an initiative in question. It 
is thus no surprise that there is a recurrent wish for the process of impact assessment to be 
quick, simple and cheap.“ Opponents underline the complexity of the assessment process in 
practice, the difficulties it brings, the lack of practical experience, and minimal or non-exis- 
tent guidance and oversight. They further question its added value over other evaluation 
techniques, for example, compliance checks, as well as its efficacy, pointing out the broad 
discretion often afforded as to whether and how an assessment process should be conducted. 

Impact assessment is often criticised for contributing to achieving only the minimum 
necessary compliance with regulatory requirements, with the least amount of effort, or 
instrumentally, in order to legitimise intrusive initiatives. Some sponsoring organisati- 
ons are criticised for focusing on assessment processes in an abstract fashion, instead of 
using them as a means to address the consequences of a given envisaged initiative. Such 
organisations often confuse impact assessment with auditing. They incorrectly consider 
the consequences as being applicable only to themselves (for example, reputational or 


35 


Border Control and New Technologies 


financial risks), rather than assessing the consequences for individuals and the public at 
large. Ultimately, impact assessment is often performed too late, that is, when the design of 
an initiative can no longer be meaningfully influenced. Critics further suggest that when 
impact assessment is compulsory, it represents a regulatory requirement too narrow in 
scope, allowing significantly dangerous initiatives to escape scrutiny. When an assessment 
process has been performed, it usually lacks transparency, that is, the process as a whole is 
opaque, hard for the layperson to understand (for example, due to a high level of technical 
complexity) and final results (in particular, the report including recommendations) are 
difficult, if not impossible, to find. It is often also criticised for failing to involve stake- 
holders, or giving them limited scope, therefore making their participation meaningless. 
All in all, impact assessment is first and foremost an aid for decision-making. It is no 
‘silver bullet’ solution: the quality of advice, and hence protection and promotion it can 
offer, depends on the way it is used, on the support it receives from public authorities, and, 
in the long run, on the oversight exercised by regulatory authorities and courts of law alike. 
Impact assessment does not come without difficulties, yet with straightforward application 
and clear methods, supported by guidance, advice and oversight, impact assessment can 
ultimately contribute to a more robust protection and promotion of societal concerns.” 


2.2.5 Integration of evaluation techniques 


Following the principles of the relevance of the benchmark and its adaptiveness (cf. infra), 
each assessment process is tailored (adapted) to the needs and reality of the initiative under 
assessment. In this regard, experience has shown that multiple types and areas of impact 
assessment — and, more broadly, evaluation techniques — can be integrated within a single 
assessment process. For example, the processes of PIA and DPIA might be combined if 
an envisaged initiative touches upon both societal concerns of privacy and personal data. 

Such integration of evaluation techniques can be beneficial for at least three reasons: (1) 
since ‘everything is inherently interconnected; integration might render a more comple- 
te picture for decision-makers, (2) it leads to greater efficiency, i.e. a maximisation of pro- 
ductivity with minimum wasted effort or expense, and (3) it allows for inclusion of aspects 
not required in legally mandated evaluation techniques.“ Such integration bears fruit on 
the condition that the integrated method, and in particular its benchmark, is internally 
coherent and not contradictory. In other words, integration of diverse types and areas of 
practice of impact assessment leads to an outcome that is greater than the sum of its parts. 

However, while integration may contribute to efficiency, it could also lead to the subor- 
dination of certain elements of the benchmark, particularly ‘those that are supposed to 
have their status raised in decision making through specific assessment instruments,” an 
outcome that is not desired. For example, the process of human rights impact assessment 
is intended to deal with the entirety of human rights, yet largely at the expense of the atten- 
tion normally given to each human right were they to be assessed individually. 
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2.3 The framework for impact assessment 


The framework for impact assessment sets foundations for both the theory and practice 
of impact assessment. It consists of 16 conditions and principles applicable to any type or 
area of practice of impact assessment. 


Building on a comparative analysis and critical appraisal of multiple frameworks for 


impact assessment, these conditions and principles are:*° 


l. 


Systematic process. Impact assessment is a systematic process undertaken in accordan- 
ce with an appropriate method and conducted in a timely manner. It starts early in the 
lifecycle of a single initiative, or a limited number of similar initiatives (for example, 
a proposed technology or a piece of legislation), prior to deployment. It continues 
throughout the development life-cycle and beyond as the society changes, dangers 
evolve and knowledge grows. It is revisited when needed, thus continuously influen- 
cing the design of the initiative under assessment. 

Relevant benchmark. The assessment process analyses the possible future consequen- 
ces of deploying a given initiative, or a set of similar initiatives, against the relevant 
societal concerns, both individual and collective, commensurate with its type (for 
example, DPIA pertains to the protection of individuals whenever their personal data 
are being processed and EIA pertains to the natural and human environment). Thres- 
hold analysis (scoping, context establishment, etc.) and stakeholder involvement help 
in determining and maintaining a list of such concerns. Whenever necessary, multiple 
types of impact assessment are performed for a given initiative, possibly in an integra- 
ted manner. 

Rational requirement. Not all initiatives require an assessment process. Such a need is 
therefore determined by factors such as the nature, scope, context and purpose of the 
initiative under assessment, the number and types of individuals affected, etc. Impact 
assessment is, however, to be considered compulsory at least for initiatives capable of 
causing severe negative consequences to relevant societal concerns. 

Appropriate method. There is no ‘silver bullet’ method for performing the assessment 
process. What matters is the choice of an appropriate assessment method allowing for 
the most comprehensive understanding of possible future consequences of the envis- 
aged initiative. 

Recommendations. The assessment process not only identifies, describes and analyses 
possible future consequences — positive or negative, intended or unintended — of an 
initiative under assessment, but also identifies, describes, analyses and prioritises pos- 
sible solutions (recommendations) to address these consequences. 

Best efforts endeavour. Impact assessment constitutes a ‘best efforts obligation: Since it 
is impossible to reduce negative consequences in absolute terms (as it is to maximise 
positive ones), sponsoring organisations react to them to the best of their abilities, 
depending upon the state-of-the-art and, to a reasonable extent, available resources. 
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Assessor’s competence. The assessment process requires the assessor, or team of asses- 
sors, to have sufficient knowledge and know-how, corresponding to the type and area 
of practice of impact assessment at stake, for successful completion of the process. 
Assessor's professional independence. The independence of the assessor — be they ex- 
ternal or in-house — is ensured: they do not seek nor accept any instruction, avoid any 
conflict of interest, avoid any (personal) bias, and have sufficient resources (namely: 
time, money, workforce, knowledge and know-how, premises, and infrastructure) at 
their disposal. 

Documentation and transparency. The assessment process is documented in writing 
or other permanent form, and is made available for unrestricted public access. The 
public at large is informed about the assessment process, its terms of reference, in 
particular the method, and its progress. Both draft and final assessment reports are 
easily accessible. Such access is granted without prejudice to state secrets, trade se- 
crets, personal data or otherwise privileged information. 

Deliberativeness. The assessment process is deliberative in the sense that it involves the 
participation of stakeholders. External stakeholders, be they individuals or civil socie- 
ty organisations affecting, affected, concerned by or merely interested in the initiative 
under assessment, or the public at large, are identified and meaningfully informed 
about it, their voices are actively sought and duly taken into consideration (namely 
through a process of consultation and — possibly — co-decision). Information given 
and sought is robust, accurate and inclusive. Individuals and/or their representatives 
have effective means of challenge, for example, in a court of law or similar tribunal, 
should they be denied involvement or should their views be ignored. In parallel, anyo- 
ne within the sponsoring organisation (that is, internal stakeholders) is to participate 
in the assessment process under the same conditions. Exceptions to stakeholder in- 
volvement, if justified, are interpreted narrowly. 

Accountability. The sponsoring organisation is accountable for the assessment pro- 
cess. Decision-makers within such an organisation choose, among other things, the 
method of assessment and assessors that will conduct it. They eventually approve the 
final assessment report and, in a subsequent process, may monitor the implementati- 
on of proposed solutions (recommendations). An external entity (for example, a re- 
gulatory authority or an auditing body) scrutinises the quality of the assessment pro- 
cess; the selection criteria are transparent. Therefore, a sponsoring organisation is able 
to demonstrate the satisfactoriness of the undertaken assessment process. However, 
in situations where an assessment process is made compulsory by law (for example, in 
DPIA in the EU, when there is a likelihood of a high risk to the rights and freedoms of 
data subjects), non-compliance and malpractice are proportionately sanctioned. 
Simplicity. The assessment process is simple, that is, not unduly burdensome. The me- 
thod serves those who use it, and is therefore structured, coherent, easily understan- 
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dable, and avoids prescriptiveness, over-complication and abuse of resources. There is 
however an inherent trade-off between the simplicity of use and the technical sophis- 
tication and accuracy of the assessment. 

Adaptiveness. Impact assessment is adaptive to the characteristics of an initiative un- 
der assessment and its sponsoring organisation (‘one size does not fit all’) in terms of, 
for example, type and complexity thereof (e.g. technology development, scientific re- 
search or legislative proposals) or the type and number of individuals concerned (af- 
fected) (e.g. nuclear safety is not to be considered in the same manner as personal data 
protection). The method and the template for impact assessment might be modular, 
or ‘consisting of separate parts that, when combined, form a complete whole,” allo- 
wing the addition and/or swapping of one module for another, as impact assessment 
is responsive to geographical and cultural differences, as well as to variations between 
legal systems (jurisdictional differences). In addition, as impacts can be appraised in 
many ways, assessors might resort to other evaluation techniques deemed more ap- 
propriate, entirely or in part, possibly in an integrated manner. 

Inclusiveness. Impact assessment is inclusive. This ensures as many stakeholders (in- 
cluding experts and laypersons), relevant societal concerns and relevant development 
phases as possible, commensurate with the societal concerns at stake, and the type 
and area of practice of impact assessment, are included in the assessment process. 
Receptiveness. Impact assessment is receptive. The framework, method, template and 
process evolve as a result of learning from previous experience in parallel evaluation 
techniques (for example, TA, EIA, risk management, etc.), knowledge from related 
disciplines (for example, law), and changes within society. 

Supportive environment. Impact assessment requires a supportive environment in or- 
der to bear fruit. It needs, inter alia, continuous high-level support from policy-ma- 
kers, and a spirit of cooperation among external and internal stakeholders. Regulators 
offer guidance and practical assistance in the assessment process, in the form of ade- 
quate training, guidelines, explanations and advice, among other things. 


2.4 A generic method for impact assessment 


The generic method lays the foundations for specific methods for impact assessment of 
multiple types and in multiple areas of practice. The generic method consists of ten steps 
(six consecutive steps, three steps executed throughout the entire process, and one step 
conducted afterwards), grouped into four phases. Some of these steps follow a logical 
sequence, namely the outcome of one step informs a subsequent one, while others are a 


function of the principles and conditions embodied in the framework. 
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These steps, building on a comparative analysis and critical appraisal of multiple me- 


thods for conducting the assessment process, are as follows: 


Phase |: Preparation of the assessment process 


1) 


2) 


3) 


Screening (threshold analysis). This step determines whether the process of impact as- 
sessment is warranted or necessary for a planned initiative or a set of similar initiatives 
in a given context. The screening is based on an initial yet sufficiently detailed descripti- 
on of the said initiative, both contextual and technical. The determination is made in ac- 
cordance with threshold criteria, both internal (i.e. the organisation’s own policies) and 
external (i.e. those set out in legal or other regulatory requirements), or ad hoc criteria, 
such as public pressure. If an assessment process is neither warranted nor necessary, the 
entire process is then concluded with a reasoned statement of no significant impact. 

Scoping. This step, on the basis of the initial description, is taken to determine the 

extent of the assessment process and hence identifies: 

a) societal concerns, and their scope, that may be touched on by a planned initiative, 
such as privacy, personal data protection, (applied) ethics, or the natural and human 
(biophysical) environment, and the corresponding legal or other regulatory requi- 
rements; these concerns will constitute a benchmark of a given assessment process; 

b) categories of stakeholders who might affect, be affected by, be concerned with 
or be interested in the envisaged initiative(s), or who possess knowledge thereof 
(experts), as well as the level of their involvement; stakeholders might suggest 
further stakeholders to be included; 

c) techniques and methods for the appraisal of impacts and for stakeholder invol- 
vement, including public participation in decision-making, which will be used 
throughout a given assessment process; 

d) other evaluation techniques beyond the process of impact assessment that might 
be necessary or warranted in order to ensure the completeness of the information 
used in the decision-making process (for example, TA or EIA); and 

e) anything else, as practicable. 

It may be the case that not all of these elements and people are identifiable at the 

beginning of the assessment process, and hence their identification might need to be 

revised periodically. 

Planning and preparation. This step defines the terms of reference for the execution of 

the assessment process. Not all of its elements, however, are of equal importance and 

applicability. These terms include, among others: 

a) the objectives; 

b) the criteria for the acceptability of negative impacts; 

c) the necessary resources (namely: time, money, workforce, knowledge, know-how, 
premises and infrastructure); 

d) the procedures and time-frames for the assessment process; 

e) the team of assessors (in-house or outsourced), their roles and responsibilities, 
and assurance of their professional independence; 
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f) a detailed list of the stakeholders to be involved (including, for example, their 
contact details) and a consultation plan, if necessary; 

g) the criteria triggering a revision of the assessment process; and 

h) the continuity of the assessment process in the event of, for example, changes 
in the actors involved in the assessment process, disruption, natural disasters or 
utility failures. 


Phase ll: Assessment 


4) 


5) 


6) 


Systematic description. This step, on the basis of the initial description (see Step 1), pro- 
vides a sufficiently detailed, two-part account of the planned initiative. First, there is a 
contextual description, which typically consists of, but is not limited to, a description of: 
a) the planned initiative(s) and of the sponsoring organisation; 

b) the context of deployment of the initiative; 

c) the need for the initiative; 

d) possible interference(s) with societal concern(s); and 

e) the expected benefits and drawbacks. 

Second, a technical description. In the case of EIA, this gives an account of, for exam- 
ple, the affected components of the biophysical environment, and, in the case of DPIA, 
it describes, for example, the categories of personal data and their flows within a pro- 
cessing operation. This description may be subjected to alterations and amendments 
as the assessment process progresses. 

Appraisal of impacts. In this step, the impacts of the envisaged initiative are evaluated 
in accordance with the pre-selected techniques (cf. Step 2). These impacts pertain to 
the societal concern(s) that might be touched upon by the planned initiative, and to 
the stakeholders who are largely external to the sponsoring organisation. Typically, 
this appraisal consists of — at least — a detailed identification, analysis and evaluation 
of the impacts. 

The appraisal techniques range from risk analysis (qualitative or quantitative risk ma- 
nagement, or a combination of the two), scenario analysis (planning) and techno- 
logy foresight, through a legal and regulatory compliance check, legal interpretation 
techniques, and a proportionality and necessity assessment, to a cost-benefit analysis 
(CBA) and a strengths, weaknesses, opportunities and threats (SWOT) analysis. 
Recommendations. In this step, concrete, detailed measures (controls, safeguards, solu- 
tions, etc.), their addressees, their priorities and the time-frames for addressing them 
are proposed to minimise the negative impacts of the planned initiative and, if possi- 
ble, to maximise the positive ones. The assessors justify the distinction made between 
‘negative’ and ‘positive’ impacts, since this distinction is contextual and subjective. The 
assessors may take stock of the measures already implemented. On this basis, after the 
conclusion of the assessment process, the leadership of the sponsoring organisation 
takes a decision on whether or not to deploy the initiative. An initiative is normally 
cancelled altogether if the negative impacts are unacceptable (see Step 3b); to carry out 
such an initiative would be exceptional and would require sufficient justification. 
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Phase III: Revisiting 


7) 


Revisiting. In this step, a decision is made on whether or not to carry out the process 
again, entirely or in part. This step may occur every time the envisaged initiative is 
modified (before or after its deployment) or every time the context in which it is going 
to be deployed, or has already been deployed, changes. This step also ensures the con- 
tinuity of the assessment process, such as in the case of a transfer of the initiative to 
another sponsoring organisation. 


Ongoing phase 


8) 


Stakeholder involvement, including public participation, in decision-making. This is an 
ongoing, cross-cutting step that runs throughout the entire assessment process, in 
which stakeholders, including the public and/or their representatives, take part in the 
assessment process. 

Understood broadly, a stakeholder is someone who holds an interest in something, re- 
gardless of whether or not they are aware of this and of whether the interest is articulated 
directly or not. In the context of impact assessment, a stakeholder is an actor that is or 
might be affecting, affected, concerned by or be interested in the outcome of a planned 
initiative. A stakeholder may also be an expert who possesses specific knowledge and 
know-how about the initiative. The concept of stakeholder is therefore open-ended and 
can include the public (laypeople, etc.), decision-makers, experts, and more. Stakehol- 
ders can be individuals or collective entities, regardless of whether they are formally (le- 
gally) recognised or not. They may be societal groups, communities, nations, the public 
at large, civil society organisations, etc. There are multiple (groups of) stakeholders, and 
hence they can be grouped into internal (e.g. employees or work committees) and ex- 
ternal (e.g. customers or non-governmental organisations) ones, and primary (i.e. those 
with a direct stake in the initiative, for example, investors) and secondary (i.e. those with 
an indirect interest yet influential, for example, the state) ones, or they can be classified 
by their attributes, including, but not limited to, power, legitimacy and urgency. 
Stakeholder involvement constitutes an integral component of the assessment pro- 
cess, and is normally omitted only in exceptional situations. For example, stakeholder 
involvement may be judged unnecessary because of similarities with an earlier, similar 
initiative, because no promising new insights or thoughts are to be gained, or because 
it would require an effort that would be disproportionate to the results. A decision not 
to involve stakeholders, or to deviate from the results of such an involvement, must 
be reasoned and documented. Whenever stakeholder involvement is mandatory, legal 
remedies are available for the entitled stakeholders, provided that their involvement is 
absent or insufficient, commensurate with the level of involvement pursued in a given 
assessment process. In any case, stakeholder involvement does not give rise to any 
negative consequences for its participants (for example, exploitation). Personal data 
of identified stakeholders are appropriately protected. 


42 


9) 


2 - The concept of impact assessment 


The level of stakeholder involvement can range from: (a) merely being informed or 
taught about a planned initiative (low level); to (b) dialogue and consultation, in 
which the stakeholders’ views are sought and taken into consideration (middle level); 
or even to (c) co-decision by the stakeholders and a sponsoring organisation about 
the deployment of the initiative in question and, subsequently, partnership with the 
stakeholders in its implementation (high level).” 

From a practical viewpoint, typically stakeholders are first identified, then informed 
and consulted and, eventually, their views are considered (in case of consultation) 
or they are asked for an agreement (in case of co-decision). Information given and 
sought is robust, accurate, inclusive and meaningful. Information is given to stakehol- 
ders in plain language, and hence may require the preparation of specific documen- 
tation, for example technical briefings and/or translations. Stakeholders are involved 
with due respect for confidentiality, including state secrets, trade secrets, personal 
data or otherwise privileged information. Having gathered the viewpoints of the sta- 
keholders, the assessor considers and takes a position on their views, i.e. on whether 
they accept them or not; especially in the case of the latter, the assessors are to provi- 
de exhaustive justification. (Stakeholders are not assessors; the former provide input, 
which the latter subsequently take into account or reject.) 

There are a plethora of techniques for engaging stakeholder involvement, ranging 
from information notices to interviews, questionnaires and surveys, to focus groups, 
roundtables, workshops and citizens’ panels, and including structured techniques, 
such as a ‘world café’ or use of the ‘Delphi method "7 An appropriate technique, or a 
combination of techniques, is selected depending on the level of stakeholder involve- 
ment desired, the planned initiative, the context of the deployment of the initiative, 
and the resources at the disposal of the sponsoring organisation. 

Stakeholder involvement can bring several benefits to the assessment process (for 
example, enhancement of its quality, credibility and legitimacy) and to the outcome 
(for example, the decision-making process being better-informed), to be contrasted 
with its drawbacks, which include, inter alia, the question of representativeness (over- 
or under-representation), fairness (for example, manipulation, ‘astroturfing’),” reluc- 
tance, communication barriers, conflict between public and private interests, and the 
resource-intensive nature of the entire stakeholder involvement process. 
Documentation. This is an ongoing, cross-cutting step, and runs throughout the entire 
process. Records are kept, in writing or in another permanent form, of all activities 
undertaken during the assessment process. This step includes the preparation of a 
final report stemming from the assessment process (or a statement of no significant 
impact, where applicable). The full spectrum of documentation from a given assess- 
ment process, preferably in an electronic format, may be made publicly available, cen- 
trally registered, and/or presented for inspection upon request (with due respect for 
legitimate confidentiality concerns). 
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10) Quality control. In this ongoing, cross-cutting step that runs throughout the entire as- 
sessment process, the adherence to a standard of performance is checked (procedural, 
substantive, or both), either internally (for example, through progress monitoring or a 
review by the sponsoring organisation) or externally (for example, by an independent 
regulatory authority through an audit, or by a court of law), or both. The quality con- 
trol, regardless whether structured or ad hoc, can equally well occur during or after 
the assessment process, or both. 


The above-mentioned method for assessing the impacts of an initiative on a societal con- 
cern, or concerns, is of a generic nature and needs to be tailored to the specificities and 
needs of a given area of practice, of the stakeholders (including the public) involved, and 
of the context of use. Consistent with its purpose, the present textbook offers, in Chapter 8 
and Annex 1, a tailor-made method and template, respectively, for integrated impact as- 
sessment of border control technologies. 
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3.1 Introduction 


3.1.1 Definition of privacy 


While the adjective ‘private’ is an easily comprehendible term in everyday language (me- 
aning that something is not intended for the public), its derivative noun ‘privacy’ is more 
complex to grasp. Dictionaries define it today, for example, as the “freedom from unau- 
thorised intrusion” or the “state of being let alone and able to keep certain especially per- 
sonal matters to oneself”’ Privacy has been analysed from different perspectives such as 
legal, as a right, ethical, as a virtue or value,” economic, as a utility or interest, or political, 
as a public or private good? 

Nowadays, privacy is frequently intertwined with and threatened by novel and emer- 
ging technologies. For the purposes of integrated impact assessment for border control 
technologies, to which the present textbook is devoted, this Chapter mostly focuses on 
privacy as a legal right. In operationalising the right to privacy, this Chapter follows the 
structure below. In the next sub-sections, some further introductory notions on privacy 
(its importance for society, historical development and relevant regulatory instruments 
and actors involved) are provided, including the importance of privacy within the assess- 
ment process. Section 3.1.2 describes the content of the right to privacy, offering legal and 
theoretical conceptualisations. 


3.1.2 Historical development of the right to privacy in Western legal 
systems 


According to a general consensus among scholars, the history of privacy in modern Wes- 
tern legal systems dates back to a law review article published in 1890 by two Boston 
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lawyers, Samuel Warren and Louis Brandeis.“ Their idea of privacy came as a reflection on 
the appearance of new technologies (more specifically, instantaneous photography) that 
newspapers used to cover gossip stories, “overstepping the limits of propriety and decency, 
causing harm both to the individuals portrayed and to the community, lowering — it was 
believed - social standards and morality” At that time, the right to privacy was elaborated 
merely within the paradigm of tort (delict) law, conceptualised as a civil claim for dama- 
ges, as opposed to a fundamental or constitutional right. Originally explicated as a “right 
to inviolate personality’, the right to privacy meant that each individual had the right to 
choose to share or not to share with others information about their “private life, habits, 
acts, and relations”.® Alternatively, it was conceptualised as “the right of each individual 
to protect his or her psychological integrity by exercising control over information which 
both reflected and affected that individual's personality”. 

Today, as a civil right, privacy is protected in civil law, within a jurisdiction, or, as a 
fundamental right, in constitutional law, at a national or regional level. As a civil right, it 
distinguishes the person from the outside world and is essential for one’s autonomy and 
protection of human dignity. As a fundamental right, privacy is known as the right to 
respect for private and family life, the home, and correspondence (hereinafter ‘the right 
to privacy’). It encompasses the idea of positive freedom, where a person has the freedom 
to determine, for example, the extent to which they control their own intellectual activity, 
and negative freedom, as a demand that others refrain from interference. 


3.1.3 The importance of the right to privacy in society 


In recent years, the right to privacy in society has gained in importance due to the increased 
digitalisation and ubiquitousness of computers. As a result, in the online environment, pri- 
vacy is alternatively called ‘informational privacy; ‘data privacy’ (usually in US literature) 
or ‘online privacy’. Participating in the interconnected world means that individuals are not 
characterised by their own choices alone; in a community, interaction with other individu- 
als and the way in which information is shared with them is what defines a sphere of activity. 

In the past, in small-scale communities, citizens were only able to interact with their 
neighbours and their immediate community, and on occasions when persons with in- 
fluential status would receive public critique, privacy interferences were occasional and 
smaller in scale. Nowadays, by contrast, large-scale monitoring of individuals presents 
different dangers, and impacts them multi-dimensionally. For instance, personal infor- 
mation obtained via contemporary means is recorded and stored, while more and more 
aspects of everyday life are transformed into data (e.g. payments through cards, sales via 
e-commerce, activity upon social media, and interactions with the government online). 
The development of computer technology makes it possible to store data with virtually no 
limits to the scope of processing or the storage duration. Furthermore, the information 
collected can be organised and transferred in an instant. 
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In sum, the online privacy of individuals is continuously threatened in many ways, 
for instance, when people share personal information with other users and entities, via 
the internet, smartphones, social networks, drones, biometric identification terminals or 
the Internet of Things (IoT). In such scenarios, the right to privacy protects individuals 
against arbitrary and unjustified use of power by reducing what can be known about them 
by others, such as public authorities or technology companies. 


3.1.4 The importance of the right to privacy in the PERSONA benchmark 


The inclusion of privacy as an element of the benchmark of an integrated impact assess- 
ment process is therefore indispensable in gaining an adequate understanding of the im- 
pacts on the right to privacy in the area of border control. 

On the one hand, certain practices in the realms of border control affect the right to 
privacy of certain religious groups. An example is the obligation to temporarily remo- 
ve clothing while performing security checks or while taking photos destined for offici- 
al identity documents. This obligation is particularly sensitive and controversial when it 
comes to removing religious clothing, such as in the case of Sikhism. A practicing Sikh 
complained of an interference with his right to freedom of religion by airport authorities, 
who had obliged him to remove his turban as part of a security check imposed on pas- 
sengers entering the departure lounge. Defending his freedom of religion and his right to 
privacy, he argued that there had been no need for the security staff to make him remove 
his turban, especially as he had not refused to go through the walk-through scanner or 
to be checked with a hand-held detector.’ In this case, the same Court held that security 
checks in airports were necessary in the interests of public safety, however it stressed that, 
due to the occasional character of the incident, states may decide otherwise. In another 
case, a practicing Sikh claimed that the requirement for him to appear bareheaded in the 
identity photograph on his driving licence amounted to interference with his private life 
and with his freedom of religion and conscience.’ This self-determination as to how an 
individual publicly appears falls within the scope of protection of the freedom of religion 
and the right to privacy. However, the driving licence is an official document which, upon 
request, could be presented to identify the individual. The European Court of Human 
Rights (ECtHR) stated that such photos were required by authorities in charge of public 
safety and law and order, particularly in the context of checks in public places. It held that 
the interference had been justified in principle, and was proportionate to the aim pursued. 
The same requirements could be extended to the issuance of an identity card or travel 
documents. 

On the other hand, the increasing use of digital technologies in border control exacer- 
bates existing impacts on the right to privacy. An example is facial recognition. Modern 
airports have progressively chosen to install automated border gates (or ‘smart borders’) 
with hundreds of ‘touchpoints’ that track travellers in their interactions with airlines and 
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border agencies. Most organisations acknowledge that the potential of facial recognition 
technology is significant, and its upcoming applications could provide benefits to public 
safety and security. However, if mismanaged, this technology may potentially lead to a 
perception of widespread surveillance, and could affect individuals differently, depending 
on their belonging to specific categories or groups, culminating in ‘chilling effects’ (e.g. 
causing distress and anxiety to individuals about the use of such technology), and ultima- 
tely eroding their right to privacy or other interconnected fundamental rights. 

Additionally, facial recognition technology relies on the collection and processing of 
biometric information that is unique and permanent. The capacity and sophistication of 
this technology is continuously evolving (e.g. through self-improving algorithms) and can 
be used in unforeseen ways or linked with other next-generation technological tools in 
a manner that creates risks of harm to individuals and distortion of public confidence." 
Frequently, actors involved in the deployment of such technologies use large-scale datas- 
ets, which are often collated. Decisions made about individuals using these identifiers, po- 
tentially without their knowledge or consent, may lead to serious risks to their rights and 
freedoms. Discriminatory effects are frequently given rise to; there could be a non-negligi- 
ble impact in the ability to exercise certain other fundamental rights, such as the freedom 
of expression and association. Lastly, damage to reputations or social disadvantages are 
also possible consequences, sometimes without adequate avenues for recourse. 


3.1.5 Relevant regulatory instruments and actors involved 


3.1.5.1 Protection and promotion of fundamental rights 
In liberal democratic societies, basic principles and rules pertaining to the protection of 
privacy — as well as other important societal concerns - enjoy a special status in legal sys- 
tems, and hence are situated at the top of the hierarchy of legal norms, as human (funda- 
mental) rights, heavily intertwined with the essential principles of such a system.'’ Human 
rights are the rights that “every person has by virtue of merely existing and that aim to 
secure for such a person certain benefits or freedoms that are of fundamental importance 
to any human being" 17 

The right to privacy is protected and promoted by a network of legal instruments, sup- 
plemented by an enforcement machinery consisting of predominantly international and 
national courts, yet no single one is solely designated to deal with issues of privacy. In ge- 
neral, the protection of privacy by rulemaking follows a tripartite and hierarchical pattern, 
namely international, regional and national. International legislation tends to be declara- 
tive and less enforceable, while regional and national legislation usually produces tangible 
legal effects and can be adequately enforceable. 
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3.1.5.2 International level 

Several instruments protect the right to privacy at an international level. At the UN level, 
Article 12 of the Universal Declaration of Human Rights” (UDHR, 1948) reads: “no one 
shall be subjected to arbitrary interference with his privacy, family, home or correspon- 
dence, nor to attacks upon his honour and reputation [...]”. Further, the 1966 UN Interna- 
tional Covenants - one on Civil and Political Rights," the other on Economic, Social and 
Cultural Rights, which together bind more than 170 countries around the world — sti- 
pulate the same provision at Article 17, with the key difference being that the Covenant is 
binding for contracting parties. Lastly, privacy is specifically protected in the Convention 
on the Rights of the Child'® under Article 16: “No child shall be subjected to arbitrary or 
unlawful interference with his or her privacy, family, home or correspondence, nor to 
unlawful attacks on his or her honour and reputation” 


3.1.5.3 Regional level 

In Europe, human rights are protected: 

A. At the level of the Council of Europe (CoE), where the main instrument is the Euro- 
pean Convention on Human Rights (ECHR, 1950) enforced by the European Court 
on Human Rights in Strasbourg. The Convention broadly defines the right to private 
and family life of every person living within the Council of Europe’s territorial scope 
of application (Article 8 ECHR), which is further analysed in Section 1.2.1. 

B. At the level of the European Union (EU), where the main instrument is the Charter 
of Fundamental Rights of the European Union (CFR, 2009)” enforced by the Court 
of Justice of the European Union (CJEU). The right guaranteed in Article 7 of the 
Charter corresponds to that guaranteed by Article 8 of the ECHR. Article 7 of the 
CFR is more concise, however, and reads: “Everyone has the right to respect for his or 
her private and family life, home and communications”. It is worth noting here that, 
in order to take account of developments in technology, the word ‘correspondence’ 
from the ECHR has been replaced by the broader word ‘communications.’ To con- 
form with the Council of Europe standards, the Charter implies that the meaning and 
scope of this right are the same as those of the corresponding Article of the ECHR.” 
Lastly, the extent to which limitation criteria apply to all fundamental rights recogni- 
sed in the Charter, are laid out in Article 52(1).”° 


Further regional legal instruments for the protection of privacy include 1969 American 
Convention on Human Rights” (enforced by the Inter-American Court on Human Rights 
in San Jose, Costa Rica) and the 1981 African Charter on Human and Peoples’ Rights” 
(enforced by the African Court on Human and Peoples’ Rights in Arusha, Tanzania). 
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3.1.5.4 National level 

At the national level, privacy laws are usually enacted and positioned within a state’s foun- 
ding document, the national constitution, where fundamental principles are enshrined. 
Constitutions enjoy higher protection within a given jurisdiction and are observed by 
dedicated supreme courts. The way in which the scope of protection and interpretation 
of a constitutional right is articulated principally depends on the nation’s history, culture 
and values. For instance, the notion of ‘secrecy of correspondence; present in almost every 
constitution, is protected under the Belgian constitution in Article 29.” 

Besides its constitutional protection in national law, privacy is further enshrined in 
virtually any civil code, both within the European Union and beyond. A civil code is a le- 
gal instrument, applicable in a given jurisdiction, which codifies and regulates the private 
law (legal relationships among individuals), indicatively, the law of contracts, law of torts, 
property law, family law and the law of inheritance. Provisions in the civil code usually 
protect privacy directly, under the protection of one’s image, one’s name and one’s repu- 
tation, or indirectly, through the law of torts (e.g. one person’s harmful behaviour against 
another person's honour, reputation, and privacy). 


3.2 The contents of (the right to) privacy 


3.2.1 Legal conceptualisations 


In relation to conducting the process of integrated impact assessment, the protection of 
the right to privacy is relevant in situations where a private interest, or the ‘private life’ of 
an individual, could be compromised. The concept of ‘private life’ has been interpreted 
broadly in case law, as covering intimate situations, sensitive or confidential information, 
information that could prejudice the perception of the public against an individual, and 
even aspects of one’s professional life and public behaviour. The scope of private life in 
border control is difficult to define; no general pattern can be drawn. The assessment of 
whether or not there is, or has been, an interference with private life depends on the con- 
text and facts of each individual case.” 

What is protected by the right to respect for private and family life can be principally 
understood through the ways in which the European Courts (the ECtHR and the CJEU) 
have interpreted this fundamental right. There is no standard, universal scope of protec- 
tion; rather, the interpretation is contextual. Both Courts’ opinions on the scope of pro- 
tection converge. The limitations that may legitimately be imposed on the right to privacy 
by the Charter are comparable to those in the ECHR. The similarities between the two 
instruments permit for a simultaneous comparison and research of this right. 

This legal provision is divided into two paragraphs, providing for the rule and the ex- 
ception (conditions for interference therewith), stating that: “1. Everyone has the right 
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to respect for his private and family life, his home and his correspondence. 2. There shall 
be no interference by a public authority with the exercise of this right except such as is in 
accordance with the law and is necessary in a democratic society in the interests of natio- 
nal security, public safety or the economic wellbeing of the country, for the prevention of 
disorder or crime, for the protection of health or morals, or for the protection of the rights 
and freedoms of others???” 

Article 8 of the ECHR entails both a negative obligation on public authorities to re- 
frain from any actions that may creep upon private life, but, at the same time, a positive 
obligation to actively secure the respect for privacy. Not being an absolute right, it may 
be limited, provided that restrictions fulfil the conditions mentioned in the second para- 
graph. The ECtHR examines two cumulative conditions in its decisions: a) whether there 
was an interference with the right to respect for private life under Paragraph 1, and b) 
whether the interference was legitimate according to Paragraph 2. In the assessment of the 
test of necessity in a democratic society, the Court often needs to balance the applicant’s 
interests protected by Article 8 and a third party’s interests protected by other provisions 
of the Convention. The same Article protects at least one of the four interests identified 
in it, namely: (i) private life, (ii) family life, (iii) home, and (iv) correspondence. For the 
purposes of this Chapter, only private life is directly relevant. 

‘Private life’ is a broad concept not susceptible to any exhaustive definition, and may 
“embrace multiple aspects of the person's physical and social identity”. It involves personal 
information, which individuals can legitimately expect to not be published without their 
consent. The notion of private life is not limited to an ‘inner circle’ in which individuals 
may live their own personal lives as they choose and exclude the outside world: Article 8 of 
the ECHR protects the right to personal development, whether in terms of personality or 
of personal autonomy, and encompasses the right of each individual to approach others in 
order to establish and develop relationships with them and with the outside world. 

The same logic extends to professional and business activities.” Private life encompas- 
ses the right of an individual to form and develop relationships with other human beings, 
including relationships of a professional or business nature. Therefore, restrictions impo- 
sed on access to a profession have been found to affect ‘private life’ 

As well as the general sphere of private life, the scope of private life also concerns three 
more specific categories, i.e. a) physical, psychological and moral integrity, b) identity and 
autonomy and c) privacy in a strict sense.’ Under the first category fall, for instance, sexual 
orientation, disability issues, mental diseases and reproductive rights, and any personal in- 
formation relating to these. Within the boundaries of the second category are, indicatively, 
the right to gender, ethnic and racial identity, the choice of a desired appearance, the right 
to a name, marital or parental status, and the right to citizenship and residence. Lastly, as- 
pects of privacy in a strict sense are, among others: the pivotal right to one’s image and pho- 
tographs about oneself, the publishing of photos, images, and articles, the defence against 
defamation, claims relating to data protection, the right to access one’s personal informati- 
on, police surveillance, stop and search police powers, and information about one’s health. 
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3.2.2 Theoretical conceptualisations 


To assess the various impacts of an initiative on the right to privacy, assessors can benefit 
from theoretical conceptualisations, which could be done in different ways. One could ar- 
ticulate privacy, for example, as descriptive, normative or reductionist, control or use-ba- 
sed, and/or property or privacy-based, resulting in “a right to control access to and uses 
of places, bodies, and personal information’,” or “the ability to determine for ourselves 
when, how, and to what extent information about us is communicated to others”.*° For the 
purpose of performing the process of integrated impact assessment, this Section adopts 
the typology of Koops et al., as illustrated in the template (under ‘privacy screening’). 

Organising privacy-related theory via a typology is an explanatory step by which the ap- 

plication of (notions of) privacy in border control may be better understood. 

The analysis of the identified types of privacy is structured in a two-dimensional model, 
consisting of eight basic types of privacy (bodily, intellectual, spatial, decisional, commu- 
nicational, associational, proprietary and behavioural privacy), with an overlay of a ninth 
type (informational privacy) that overlaps, but does not coincide with, the eight basic ty- 
pes (Fig. 1). Furthermore, demarcating various aspects of privacy helps explain why priva- 
cy cannot merely be reduced to informational privacy, how the concept of privacy relates 
to the right to privacy, and how the right to privacy varies depending on the context of use. 
1. Bodily (physical) privacy: Bodily privacy encapsulates the right to protect the physical 

body of the individual. It connotes a negative freedom for anyone except for the con- 
cerned individual: one can exclude the others from unsolicited touching, restraining 
or restricting one’s body (sometimes including mental integrity). It further protects 
any unreasonable search and seizure, supplemented with additional restrictions for 
certain parts of the body, in particular the ‘private parts. A relevant illustration of this 
type of privacy is the compulsory provision of samples of body fluids and body tissue, 
as well as fingerprints. This type therefore concerns the physical body per se, and not 
clothing, bags, pockets etc., which fall within the scope of another type of privacy. 

2. Spatial privacy: Spatial privacy is the interest of a person to mark the existence of a 
reasonably understood private space or territory (individually controlled), by exclu- 
ding and/or restricting other peoples access to it or managing its use. It is comprised 
of an intimate zone (around the person) and an extended zone, in which the person 
is residing or inhabiting and is supposed to be acting privately (e.g. the area of the 
house). In both the intimate and extended zone, the individual sets the conditions for 
exposure. This type of privacy is triggered by, for example, the performance of unlaw- 
ful ‘searches’ that enable law enforcement to observe activities as they are taking place 
inside the home. A person should be able to (stressing the ability/control to do so) 
control (increase/decrease) the degree of openness to others by ‘tweaking’ the moda- 
lities of their intimate zone, this referring to a limited information flow within trusted 
relationships. An interference with spatial privacy in border control is rare, since it is 
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connected to the private property (home). Nonetheless, interrogation about how one 
acts at home and preferences in terms of social engagement, intimate partners, family 
members or close friends could fall within the scope of this type of privacy. 
Communicational privacy: Communicational privacy is the ability of a person to res- 
trict access to communications or to control the use of information communicated 
to third parties. The meaning of (tele)communications is continuously evolving, and 
is arguably one of the cornerstones of constitutional privacy protection, linked also 
to the freedom of expression. Historically, it would be solely associated with written 
(ie. postage) letters and telegraphy, but nowadays it is interpreted broadly, in order to 
accommodate newer forms of communicating at a distance, such as telephone calls, 
emails, instant messages and voice messages. This list is constantly expanding and 
evolving. Communicational privacy protects the secrecy of such communications, 
including their contents, channels and the traffic data. Communications may be me- 
diated or unmediated, resulting in different practices of controlling such messages. 
Relevant examples of communicational privacy in the area of border control are those 
of law enforcement guards intercepting personal communications, confiscating and 
accessing others’ electronic devices, ‘eavesdropping; or generally checking the content 
of stored communications without due reason. 

Proprietary privacy: Proprietary privacy is the interest of an individual in their use 
of property as a means to shield activity, facts, things, or information from public 
view. At its core, it is closely associated to spatial privacy, being similar in the fact that 
the user has the right to exclude others from their property. They differ, however, in 
that proprietary privacy concerns tangible objects, while spatial privacy concerns a 
‘defined’ area. Proprietary privacy is interfered with when, for instance, a person is 
compelled by a third party to reveal content in their purse, wallet, backpack, pockets, 
against their will. In other words, people choose to conceal certain objects, facts, situ- 
ations or even body parts behind their (mobile) property and, thus, choose whether 
and to which extent they expose to public view what they have concealed. The nature 
of computer devices (including smartphones, laptops, wearables and IoT objects) is 
hybrid, and falls first of all within the scope of proprietary privacy, on the basis of 
being hardware. 

Intellectual privacy: Intellectual privacy is the right of an individual to privacy of 
thought and mind, and the development of opinions and beliefs. This type of privacy, 
although separate, could be included in the scope of protection of several associated 
privacy rights, such as the freedom of thought. The direct influencing of a person's 
mind is not within the abilities of today’s technologies, however indirect methods of 
inspecting people’s minds though electromagnetic signals (or at least identifying pat- 
terns by tracing brain activity) is a technique that is widely used. However, in border 
control scenarios, it is not expected that people’s minds be interfered with; the mind 
is censed to be an inviolable area. 
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Decisional privacy: Decisional privacy is the right of a person to defend against (state) 
intrusions into citizens’ rights to hold or make certain choices pertaining to the in- 
timate sphere; these could regard their lives and how they live them, such as choices 
about same-sex marriage, abortion or assisted suicide. Generally, decisional privacy 
protects human autonomy and expresses the intellectual privacy, mentioned above, 
with this being deemed the thought process and decisional privacy being the exe- 
cution process, i.e. the manifestation of thought. All facts in relation to proactive, 
sexual and family choices, as well as disclosure of information about these, therefore 
fall within its scope of protection. In border control, this type of privacy is tangibly 
interfered with when technologies reveal sensitive information or facts about such 
situations, e.g. an obligation to reveal a tattoo upon the torso, illustrating upsetting or 
appalling images. 

Associational privacy: Associational privacy is the right of individuals to choose their 
interactions and acquaintances, i.e. friendships, communities and groups they belong 
to (akin to the freedom of assembly). Such choices are protected under the concept of 
associational privacy, which can materialise in strictly private places, intimate settings 
or semi-public spaces, depending on the degree of exposure chosen. Associational 
privacy does not constitute the core of private life, but is an emanation thereof, while 
in the context of border control, it can be interfered with when multiple individuals 
are associated, i.e. a group of travellers from a certain country or with certain shared 
characteristics, friends belonging to the same organisation, religion, community etc. 
Behavioural privacy: Behavioural privacy is the right of individuals to choose their 
public demeanour, which cannot be hidden from others observing it. Characteristics 
that fall under this type of privacy are facial characteristics, clothes, smell, gait, gestu- 
res, voice, language, mood, etc., that also, to a certain extent, cannot be instantly iden- 
tified unless particular attention is given to the individual. Borders are representative 
of places, where natural persons would be compelled to protect their behavioural pri- 
vacy, especially where they have to briefly undress or uncover areas of their body and 
thus make gestures that they would otherwise not need to do in public. Behavioural 
privacy is also related to the level of transparency and exposure chosen, yet some 
characteristics of the person cannot be hidden from public view (e.g. religious outfit). 
This type of privacy is interfered with when a technology substantially hinders or 
excludes a person from choosing how they behave publicly, due to a fear of being cri- 
ticised about such mannerisms, e.g. how they walk, how they speak, how they move 
their hands or face, etc. 

Informational privacy: Informational privacy is considered an interest of an indivi- 
dual in preventing information about themselves being collected and in controlling 
information about themselves that others may have a legitimate access to. It is both a 
type and meta-type of privacy, in the sense that, firstly, it refers to a distinctive type of 
privacy and, secondly, it overlaps with all other types. Interference with informational 
privacy essentially entails that the affected person lacks control over how information 
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about the eight aforementioned types is managed. Informational privacy is bifurcated 
into a positive freedom (informational self-determination) and a negative freedom 
(exclusion of others to information). This type of privacy has served as the foundation 
for the recent development of the distinct right to personal data protection, to a great 
extent also overlapping with it. The right to data protection is assessed separately, in 
the process of a data protection impact assessment (DPIA), and is a vital part of the 
integrated impact assessment. In border control, virtually all personal data fall, addi- 
tionally, under the scope of informational privacy. 


Figure 1: A typology of privacy 
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4.1 Introduction 


4.1.1 Definition and development of the right to personal data protection 


The terms ‘privacy’ and ‘data protection’ are oftentimes understood as one and the same 
concept. Indeed, the right to personal data protection has evolved from the right to respect 
for private life, since the development of computers and the Internet in the second half of 
the 20" century brought considerable risks and new challenges to the latter. To address the 
need for specific rules about the collection and use of personal information, a new con- 
cept of privacy emerged around the 1970s,’ known in some jurisdictions as ‘informational 
privacy’ (i.e. the privacy of personal information usually related to personal data stored in 
computer systems) or as the ‘right to informational self-determinatior’ (i.e. an individual’s 
right to control the disclosure, retention, and dissemination of their personal informati- 
on’). Throughout the years, these concepts evolved and eventually led to the development 
of special legal regimes that provide for what is known today as ‘personal data protection. 

Despite their common origin and overlapping content, privacy and data protection are 
distinct fundamental rights.? While the right to privacy aims to create a personal sphere 
in which individuals are able to develop their personalities freely, the right to personal 
data protection is understood as a precondition to the exercising of other rights. In other 
words, whereas the right to privacy consists of a general prohibition of interference as a 
‘passive right, the right to personal data protection is considered to be an ‘active right, 
which motivates a system of checks and balances to protect natural persons’ personal data. 

For the purposes of integrated impact assessment for border control technologies, to 
which the present textbook is devoted, this Chapter will focus on the right to data pro- 
tection, and in particular on how it is protected by the General Data Protection Regula- 
tion (GDPR).* In operationalising the right to data protection, this Chapter follows the 
structure below. In the following sub-sections, some further introductory notions pertai- 
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ning to data protection (its importance for society, relevant regulatory instruments and 
connections with other fundamental rights) are provided. Next, the Chapter delves into 
specific concepts of data protection law, following the terminology of the GDPR, to guide 
the assessors throughout the assessment process. Following this, Section 4.1.2 overviews 
key concepts and actors, Section 4.1.3 looks at principles of EU data protection law, Sec- 
tion 4.1.4 describes legal requirements, and Section 4.1.5 summarises data subject rights. 


4.1.2 The importance of data protection in society 


Although the right to data protection originates from the need to control the processing 
of personal information by public authorities, the banking sector, or health insurance 
companies, nowadays, the same data are processed by big private corporations, including 
technological companies. The use of artificial intelligence (AI) and profiling algorithms 
has allowed the processing of large amounts of personal and non-personal data" that peo- 
ple commonly share on digital platforms, such as social media sites, e-commerce sites, or 
health apps. These data have been characterised as “the new oil”, as they are exploitable 
resources for which companies are able to develop strategies to generate revenue and pro- 
fits.° For instance, browsers and websites collect the personal data of users and perform 
data-driven price differentiation, i.e. the same product or service is offered at different 
prices depending on the socio-economic status of a person. Another example is the use of 
recommendation systems upon social media and e-commerce platforms, in which perso- 
nal data are processed to decide on what to recommend to the end user. 

In this context, data protection rules are crucial to ensuring the security of individuals’ 
data and regulating the collection, usage, transfer and disclosure of personal data. Such 
rules would permit individuals to maintain some control over their personal information 
and how this is shared with others, as well as make them aware that certain public autho- 
rities and private entities collect their data. 


4.1.3 The role of data protection in the benchmark 


The need for data protection rules is particularly pressing in the context of border control, 
where so-called ‘smart borders, which store personal data, e.g. names and surnames, date, 
time and place of entry or exit of third-country nationals, travel documents or biometric 
data, have become widespread. One recurring argument for introducing smart borders is 
the need for law enforcement authorities to benefit from the best possible tools in order to 
quickly identify the perpetrators of terrorist acts and other serious crimes.’ Furthermore, 
the adoption of pan-European databases would enable the provision of authorised users 
with fast, seamless, systematic and controlled access to relevant information systems per- 
taining to individuals who cross borders. 
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In the light of these developments, focusing on the right to personal data protection as 
one of the elements of the benchmark of this integrated impact assessment is helpful in 
controlling for the possible abuse of power by border control authorities and, more gene- 
rally, in assessing the risks of certain processing operations to the rights and freedoms of 
natural persons.* 

The goal of this Chapter is to guide the assessors in assessing whether a given initiative 
complies with the requirements of necessity and proportionality, accountability, and data 
protection principles such as purpose limitation and quality of data.’ A robust assessment 
is critical when developing new instruments that rely on the use of information techno- 
logy; the approach provided in this textbook aims to embed personal data protection rules 
in the technological basis of a proposed instrument. 


4.1.4 List of relevant regulatory instruments and systems 


To guide the assessors, this Section provides a brief overview of data protection regulatory 
instruments and systems. As with the right to privacy, the right to personal data pro- 
tection is not universally protected by a single piece of legislation, but by a multitude of 
provisions depending on the jurisdiction. This Section follows a tripartite and hierarchical 
categorisation, through i) international, ii) regional, and iii) national laws. 


International law 

United Nations: The UN has not explicitly recognised the right to personal data protection 
as such, in contrast to the right to privacy." Only recently, in 2013 and after the Edward 
Snowden revelations," the UN adopted the resolution “The Right to Privacy in the Digital 
Age’, while the General Assembly affirmed that the rights held by people offline must also 
be protected online. Consequently, it called upon all contracting parties to respect and 
protect the right to privacy in digital communication.” This is the closest semblance to 
modern data protection laws issued by the UN to date. 


Council of Europe: Along with the ECHR,” the Council of Europe adopted, in 1981, the 
“Convention for the protection of individuals with regard to automatic processing of per- 
sonal data” (Convention 108). This Convention is the first and, to this day, only internatio- 
nal legally binding instrument dealing with data protection." The Convention underwent 
a modernisation process, completed with the adoption of an amending Protocol (Conven- 
tion 108+).!° Furthermore, the Council of Europe actively issues recommendations with 
regard to internet actors’ accountability. 6 


European Union law 
Primary law: The Treaty on the Functioning of the European Union (TFEU) and the Char- 
ter of Fundamental Rights of the European Union (‘Charter or CFR) deal with the right 
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to personal data protection. Article 16 of the TFEU, under the part of the treaty dedicated 
to the general principles of law, creates a new legal basis, granting the EU the competence 
to legislate on data protection matters. Article 8 of the Charter enshrines the right to the 
protection of personal data as a fundamental right. 


Secondary law: The body of law founded upon the principles and objectives of the treaties 
is known as secondary law; this includes, among other things, regulations and directives. 
From 1995 until May 2018, the principal European Union (EU) legal instrument on data 
protection was Directive 95/46/EC, also known as the Data Protection Directive.” The 
Directive was adopted on the model of Convention 108, and acted as an instrument for 
achieving the objectives set by the internal market agenda. 

The Directive was replaced by the GDPR,'* which consolidates principles and rules 
on data protection, has an extraterritorial effect (i.e. it applies also outside the EU), and 
enhances the principle of accountability, thus being viewed as an exemplary document for 
other jurisdictions around the world. 

In parallel, three more instruments currently complement the GDPR in data protec- 
tion matters. First, Directive 2016/680 or the “law enforcement Directive” applies to the 
protection of natural persons with regard to the processing of personal data by competent 
authorities for the purposes of the prevention, investigation, detection or prosecution of 
criminal offences or the execution of criminal penalties, and on the free movement of 
such data. Second, Directive 2002/58/EC,” also called the “ePrivacy Directive’, applies to 
personal data and the protection of privacy in electronic communications, with regards 
to security, data breaches and confidentiality of communications (including metadata). 
Third, Regulation 2018/1725” lays down the data protection obligations of the EU institu- 
tions and bodies during the processing of personal data by them, and development of new 
policies (European Institutions Data Protection Regulation (EUDPR)). The principles and 
key rules of this Regulation do not substantially differ, on the contrary, they are based on 
the provisions of the GDPR, with the exception of certain provisions inextricably tied to 
the nature and specificities of the function of EU institutions. 


National laws 

The first national data protection legislation was a novelty in one (West) German State 
(Hesse) in 1970. Since then, an increasing number of countries worldwide have progres- 
sively enacted (reformed) data protection legislation, including the Member States of the 
EU. As an illustration, the decade 2010-2019 saw 62 new countries enacting data protec- 
tion laws, more than in any previous decade. In total, as of today, an impressive number 
of 142 countries have legislated for data protection.” The adoption of firm data protection 
legislation in parts of the world with significant economic activity is highly important for, 
among other things, data transfers of personal data, ensuring a consistently high level of 
protection. 
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4.1.5 Connection with other fundamental rights 


Data protection law does not have the single purpose of protecting only one fundamental 
right, but rather acts as an umbrella mechanism for multiple fundamental rights whenever 
affected by the processing of personal data. The interrelationship between the right to per- 
sonal data protection and other fundamental rights is twofold: (a) since data protection 
is not an absolute right, it must be considered in relation to its function in society and be 
balanced against other fundamental rights, in accordance with the principle of proportio- 
nality, and (b) the EU data protection framework underlines the respect for all fundamen- 
tal rights; the freedoms and principles recognised in the Charter and as enshrined in the 
Treaties of the EU. Furthermore, it is assumed that certain types of processing may create 
significant risks to other fundamental rights and freedoms, therefore explicitly extending 
the material scope of its protection outside the domain of personal data alone, and to- 
wards other fundamental rights and freedoms, when personal data are involved. 

Typically, such rights could be: (a) the right to non-discrimination, (b) the freedom of 
thought, conscience, and religion, (c) the freedom of expression and information, (d) the 
right to an effective remedy and to a fair trial and (e) the respect for private and family 
life, home, and communications (right to privacy). Furthermore, it is observed that case 
law of the Court of Justice of the EU (CJEU) and the European Court of Human Rights 
(ECtHR) often involves two or more affected rights. For instance, it is highly probable that 
a specific type of personal data processing operation does not present risks for a single 
person but may produce significant societal and legal effects or exacerbate systemic group 
discrimination. In the realm of border control, the use of automated technologies in iden- 
tifying migration flows and managing resources is increasingly reinforcing structures of 
discrimination already inherent in migration decision-making.” 


4.2 Key concepts and actors 
4.2.1 Personal data and data subject 


The concepts of personal data and data subject are inextricably linked. ‘Personal data’ is 
defined as “information relating to an identified or identifiable natural person.” The de- 
finition of personal data is extremely broad and may also comprise ‘special categories of 
data’ (also called ‘sensitive data’), which, by their very nature, may pose greater risks to 
the data subjects when processed. Due to their character, processing of these data requires 
higher attention to be afforded by the data controller and other involved parties. These ca- 


tegories of data include personal data ‘revealing racial or ethnic origin, political opinions, 
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religious or philosophical beliefs, or trade union membership, genetic data, biometric data 
for the purpose of uniquely identifying a natural person, data concerning health or data 
concerning a natural person's sex life or sexual orientation.’ 

If the processing of data does not concern an identified or identifiable person (a human 
being), then data protection law does not apply.” For example, if the process of anonymi- 
sation has been conducted, meaning that all identifying elements are eliminated from a set 
of personal data, and the data subject is no longer identifiable, then data protection law 
does not apply. In order to determine whether a natural person is identifiable, one must 
take into account all reasonable means (including available technology) that are likely to 
be used to directly or indirectly identify the individual. Establishing a link with a natural 
person can be achieved by reference to an ‘identifier’ such as a name, an identification 
number, locational data, an online identifier or to one or more properties specific to the 
physical, physiological, genetic, mental, economic, cultural or social identity of that per- 
son.” 


4.2.2 Data controller 


In the context of personal data processing, the key decision-making figure is the data con- 
troller. In the private sector sphere, this is usually a natural or legal person, while in the 
public sector, this is an authority (e.g. a ministry, a governmental agency, etc.). The data 
controller is the one who determines the means and purposes of processing the personal 
data of natural persons.” This mostly answers the question of ‘why’ and ‘how’ the personal 
data should be processed.” To determine whether or not an entity acts as a data controller, 
the assessors look at the decision to collect or process the personal data, the purpose or 
outcome of the processing, which personal data is collected and from which individuals, 
whether there will be a contract for this, which decisions or inferences are drawn during 
or after processing, etc. 


4.2.3 Data processor 


A ‘data processor’ means a natural or legal person, public authority, agency or other body 
that processes personal data on behalf of the data controller.” As a general rule, the data 
processor processes personal data by only following specific instructions regarding the 
processing. For instance, data processors do not decide to collect personal data from indi- 
viduals on their own initiative, do not decide what personal data should be collected from 
individuals, do not decide the lawful basis for the use of that data, do not decide what 
purpose or purposes the data will be used for, and do not decide whether to disclose the 
data, or to whom.”! 
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4.2.4 Data protection authorities 


EU data protection law is applied and enforced in each national jurisdiction independently. 
This is ensured by the function of independent supervisory authorities (SAs), also called data 
protection authorities (DPAs). Specifically, each Member State shall provide for the instituti- 
on and function of one or more independent public authorities to be responsible for moni- 
toring the proper application and enforcement of data protection laws in their jurisdiction.” 


Supervisory authorities are tasked with the following activities? 

e they promote data protection at the national level, advising data subjects, data con- 
trollers and the government; 

e they hear complaints and assist data subjects with alleged violations of data protection 
rights; 

e they supervise controllers and processors, and they conduct investigations on the ap- 
plication of the Regulation; 

e they monitor relevant (technological) developments, insofar as they impact the pro- 
tection of personal data, such as the development of information and communication 
technologies; 

e they possess investigative, corrective, authorisation and advisory powers, for example, 
they may carry out investigations in the form of data protection audits; 

e they notify the controller or the processor of an alleged infringement of the Regula- 
tion, or obtain, from the controller and the processor access to all personal data and 
premises (such as data processing equipment and means); 

e they can issue warnings to a controller whose intended processing operations are li- 
kely to infringe provisions of the Regulation; 

e they can impose a temporary or definitive limitation including a ban on processing and, 

e they are the ones to impose the administrative fines, where necessary.” 


4.3 Principles of EU data protection law 


4.3.1 Lawfulness, fairness, transparency 


Three fundamental principles in data protection law jointly act as the starting point for 
the more detailed provisions on processing. Largely, these concern the data controller. 
The most important are i) lawfulness, ii) fairness and iii) transparency. Their general ar- 
ticulation as principles is further specified according to the circumstances in which they 
are applied. In other words, their application in the area of border control entails different 
risks compared to personal data processing for marketing purposes. 
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In order to process personal data, the data controller must have a lawful basis to do 
so. This basis functions as an enabler for processing personal data within the scope of the 
purposes identified. Lawful processing requires the consent of the data subject or one of 
the five other legitimate grounds provided in the data protection legislation. It also implies 
that the data controller has reviewed the purposes of the processing activities, and has 
selected the most appropriate lawful basis (or bases) for each activity. 

Personal data must be processed fairly. This means that processing must be done in 
ways that people would reasonably expect, and not in ways that have unjustified adverse 
effects on them, or in ways that could mislead them. This does not mean, however, that 
every processing that would negatively affect an individual should be considered ‘unfair. 

The principle of transparency requires that any information addressed to the public or 
to the data subject be concise, easily accessible and easy to understand, and that clear and 
plain language and, additionally, where appropriate, visualisation be used.** Among other 
things, the following information is provided beforehand: the identity and the contact 
details of the controller, the purposes of the processing for which the personal data are 
intended, and also the legal basis for the processing, the legitimate interests pursued, the 
legitimate interests, the period for which the personal data will be stored, etc.*° Transpa- 
rency in processing facilitates the exercising of the data subject's rights. 


4.3.2 Purpose limitation 


The principle of purpose limitation means that personal data must be collected for spe- 
cified, explicit and legitimate purposes and not further processed in a manner that is in- 
compatible with those purposes. In other words, any processing of personal data must be 
performed for a specific well-defined purpose, and if this happens for additional purposes, 
these must be specified and compatible with the original one.” Its objective is primarily le- 
gal certainty, along with predictability and user control.** Neither processing personal data 
for undefined or unlimited purposes is lawful, nor is processing based on the assumption 
that it may be useful at some point in the future. 

It is the data controller who defines the purposes of processing. In assessing the compa- 
tibility of the initial specific purpose with any additional ones, the controller shall take the 
following into consideration: any link between those purposes and the purposes of the in- 
tended further processing; the context in which the personal data have been collected; the 
reasonable expectations of data subjects; the nature of the personal data; the consequences 
of the processing for data subjects; the existence of appropriate safeguards.’ 
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4.3.3 Data minimisation 


Data minimisation means that personal data shall be adequate, relevant and limited to 
what is necessary in relation to the purposes for which they are processed. All these three 
words, ‘adequate, relevant and limited are subject to the discretionary power of by the data 
controller. The criteria for the assessment of necessity of processing are not straightfor- 
ward, and neither is the extent to which the purpose of the processing can be reasonably 
fulfilled by other means. What is deemed ‘appropriate’ in the case of extensive processing 
systems is not listed, in order to avoid prescriptiveness and to allow greater conformity 
with technological advancements. The data controller shall proceed to an assessment of 
the measures adopted, so as to ensure that data processing does not entail a dispropor- 
tionate interference in the fundamental rights and freedoms at stake. This also includes 
periodic review of the stored data, and deletion of those that are not necessary. 


4.3.4 Data accuracy 


A data controller must ascertain that data are accurate and kept up-to-date by guaran- 
teeing that data that are inaccurate are erased or rectified without delay. At the same 
time, some categories of personal data shall remain non-updated (e.g. a medical record 
that should be compared to and complemented by future examinations). The data subject 
shall have the right to restriction of processing by the controller when the accuracy of the 
personal data is contested.“ 


4.3.5 Storage limitation 


The data controller shall ensure that personal data are deleted or anonymised as soon as 
they are no longer needed for the purposes for which they were collected. Personal data 
shall be kept in a form that permits identification of data subjects for no longer than what 
is necessary for the purposes for which the personal data are processed. Storage limitation 
functions in conjunction with purpose limitation, since these both allow for the same ex- 
ception of further processing solely for archiving purposes in the public interest, scientific 
or historical research purposes, or statistical purposes.” Data subjects must be appropriately 
informed about the standard retention periods through the privacy policy.” This principle 
enables compliance with individuals’ requests for erasure under ‘the right to be forgotten’ 
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4.4 Legal requirements 


4.4.1 Lawfulness of processing 


Pursuant to the principle of lawfulness, personal data may be lawfully processed if they 
meet one of the following criteria (lawful grounds): 


a) 


b) 


c) 


d) 


e) 


f) 


Consent: the data subject has given consent to the processing of their personal data for 
one or more specific purposes. Consent is considered freely given if the data subject 
has genuine or free choice or is able to refuse or withdraw consent without detri- 
ment.” It shall be as easy to withdraw as to give consent, at any time. Consent may not 
always be a lawful ground: for instance, employees are not in a position to freely give, 
refuse or revoke consent, given their dependency within the employer/employee rela- 
tionship. Consent must also be informed (data subjects must have received sufficient 
information), specific (for concrete processing purposes) and unambiguous (without 
reasonable doubts). 

Contract: processing is necessary for the performance of a contract to which the data 
subject is party, or in order to take steps at the request of the data subject prior to 
entering into a contract. This lawful ground applies where either of two conditions 
are met: the processing in question is objectively necessary for the performance of a 
contract with a data subject, or the processing is objectively necessary in order to take 
pre-contractual steps at the request of a data subject.” 

Legal obligation: processing is necessary for compliance with a legal obligation to 
which the controller is subject. For instance, employers must process data about their 
employees for social security and taxation reasons, and businesses must process data 
about their customers for taxation purposes.” 

Vital interests: processing is necessary in order to protect the vital interests of the data 
subject or of another natural person. An illustration would be when monitoring epi- 
demics and their development, or where there is a humanitarian emergency. 

Public interest: processing is necessary for the performance of a task carried out in the 
public interest or in the exercise of official authority vested in the controller. This is 
most relevant to public authorities, and the underlying task, function or power must 
have a clear basis in law. Furthermore, there should be no less intrusive way by which 
an authority is able to reasonably perform its tasks or exercise its powers. 

Legitimate interest: processing is necessary for the purposes of the legitimate interests 
pursued by the controller or by a third party, except where such interests are over- 
ridden by the interests or fundamental rights and freedoms of the data subject that 
require protection of personal data, in particular where the data subject is a child. 
In this respect, the legitimate interests of the controller are first identified, and then 
a balancing exercise must be conducted between those interests and the interests or 
fundamental rights and freedoms of the data subject. A classic example of legitimate 
interest is direct marketing. 
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4.4.2 Accountability and compliance 


The principle of accountability” stipulates that the data controller shall be responsible for, 
and be able to demonstrate compliance with, all the data protection principles mentioned 
above. This means that they shall actively and continuously implement measures to pro- 
mote and safeguard data protection in their processing activities. Demonstrating compli- 
ance with the Regulation is an obligation towards data subjects, but also towards the data 
protection authorities. Three prominent newly introduced tools for accountability include 
the data protection officer, the data protection impact assessment, and the data protection 
by design & by default. 


Security of processing 

The principle of data security is probably the most complicated and disputed one. It is con- 
nected to a data protection principle, that of integrity and confidentiality. It requires that 
the security, integrity and confidentiality of personal data is guaranteed, so as to prevent 
adverse effects for the data subject. Measures adopted could be either of a technical or an 
organisational nature. The appropriateness of security measures must be determined on a 
case-by-case basis and be reviewed regularly. 

Criteria for such choice are the state of the art, the costs of implementation and the 
nature, scope, context and purposes of processing, as well as the risk of varying likelihood 
and severity for the rights and freedoms of natural persons. 

Measures that are deemed technically appropriate, among others, are: the pseudonymi- 
sation and encryption, the confidentiality, integrity, availability and resilience of proces- 
sing systems and services, restoration of the availability and access to personal data in a 
timely manner in the event of a physical or technical incident, and a process for regularly 
testing, assessing and evaluating the effectiveness of technical and organisational measu- 
res for ensuring the security of the processing.” 

Measures that correspond to good organisational rules could be: regular provision of 
information to all employees about data security rules and their obligations under data 
protection law, especially regarding their confidentiality obligations, clear distribution of 
responsibilities and a transparent outline of competences in matters of data processing, 
and ensuring that authorisations to access personal data have been assigned by the com- 
petent person and require proper documentation.” 


Data protection officer 

The role of the data protection officer (DPO) has been formulated in such a way so as to 
be the key role in the accountability mechanism. DPOs are responsible for the due com- 
pletion, and liable for reporting the success of a compliance project, yet without being 
accountable themselves. It is the data controller who is accountable for the compliance of 
the processing operations with the law. DPOs are obligatorily appointed where processing 
is conducted by a public authority, where processing results in systematic monitoring, or 


71 


Border Control and New Technologies 


where the processing concerns special categories of data or personal data relating to cri- 
minal convictions or offences.” 

DPOs are independent: they do not receive instructions from the management, they 
facilitate compliance by implementing the rules and communicating with the supervisory 
authorities, while they are involved, properly and in a timely manner, in all issues which 
relate to the protection of personal data within the organisation. Duties of DPOs include, 
for example, advising on the undertaking of data protection impact assessments, training 
personnel, and creating and maintaining records of processing activities within an orga- 
nisation. 


Data protection impact assessment 

The requirement to conduct data protection impact assessments (DPIAs) in several in- 
novative laws around the world is not coincidental. The recently reformed personal data 
protection law in the EU introduced a requirement for data controllers to assess the im- 
pacts of data processing operations that are “likely to result in a high risk to the rights and 
freedoms of natural persons” with regard to the protection of personal data. "7 The level of 
risk varies depending on the nature and scope of processing. Large-scale operations and 
those involving the processing of sensitive data present much higher risks for data sub- 
jects compared to smaller-scale data controllers who processes their employees’ personal 
phone numbers. 

The Regulation foresees a list of processing operations that are considered high-risk 
and for which a prior impact assessment is necessary: where there is systematic and exten- 
sive evaluation of personal aspects (profiling), where special categories of data or personal 
data relating to criminal convictions or offences are processed, and where processing in- 
volves the large-scale, systematic monitoring of publicly accessible areas.” The content of 
the impact assessment shall include, among other things, an assessment of the necessity 
and proportionality of the processing operations and the possible risks to the rights of 
individuals, as well as mitigation measures for the risks identified. To demonstrate com- 
pliance, data controllers must maintain a record of the processing activities carried out 
under their responsibility.” 


Data protection by design and by default 

Data protection by design and by default refers to the effective implementation of data 
protection principles and appropriate technical and organisational measures to safeguard 
data subjects’ rights and freedoms. The concept is an evolution of what was previously 
known as privacy by design, and is currently a legal requirement. It is inspired by the fair 
information practices, as articulated by the Information and Privacy Commissioner of 
Canada.” 

Data protection ‘by design applies to the development of new services, systems, pro- 
cesses or products that involve personal data processing. It involves implementation of 
appropriate technical and organisational measures designed to implement the data pro- 
tection principles, and the integration of safeguards into the processing necessary to fulfil 
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the legal requirements and protect data subjects’ rights. This way, privacy and data pro- 
tection are guaranteed at the design phase of any system, service, product or process, and 
then throughout the lifecycle. 

Data protection ‘by default’ requires that the data controller ensures processing of 
the data that is necessary to achieve a specific purpose. It links to the fundamental data 
protection principles of data minimisation and purpose limitation. A misunderstanding 
could be that it requires the adoption of a ‘default to off’ solution, but this is not true: This 
principle translates as the need to specify the personal data before the processing starts, 
to appropriately inform individuals, and to only process the data that are needed for the 
purpose.” 


Data breaches 

One additional accountability mechanism is that relating to data breaches. A personal 
data breach refers to a security breach leading to the accidental or unlawful destruction, 
loss, alteration or unauthorised disclosure or access to processed personal data.” Data 
breaches can be highly detrimental to the data protection rights of individuals who, as 
a result of the breach, lose control over their personal data. They are subsequently ex- 
posed to risks, such as identity theft or fraud, financial loss or material damages, loss of 
confidentiality of personal data protected by professional secrecy, and damage to their 
reputation.” 

When a personal data breach is detected, and if it is likely to result in a high risk to the 
rights and freedoms of natural persons, the controller shall communicate the personal 
data breach to the data subject without undue delay. The notification must include a des- 
cription of the nature of the data breach, of data subjects affected, and a description of the 
possible consequences. If the data breach is likely to result in high risks for the data sub- 
jects, then the data controller must inform the data subjects in clear and plain language. 
At the same time, the controller is responsible for informing the supervisory authorities. 


4.4.3 Data transfers 


The level of protection of personal data is deemed to accompany them in function of the 
country that the personal data are. Data protection law regulates transfers of personal data 
which are undergoing processing or are intended for processing after transfer to a third 
country or to an international organisation. 2) In other words, if and whenever personal 
data are transferred outside the EU, then they are subject to specific rules in processing. 
With regard to the principle of free movement of personal data in the EU, this shall be 
neither restricted nor prohibited for reasons connected with the protection of natural per- 
sons with regard to the processing of personal data.” 

Depending on the recipient of personal data, there are different tools to frame the data 
transfers. The strongest, but also the least common, is the adequacy decision.® A third 
country may be declared as offering an adequate level of protection, under a European 
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Commission decision, meaning that data can be transferred to another company in that 
third country without the data exporter being required to provide further safeguards or 
conditions.” If an adequacy decision has not been signed, then data controllers can trans- 
fer personal data based on binding corporate rules,® which are legally binding to every 
member of the group. Alternatively, they can use standard contractual clauses approved 
by the European Commission; lastly, it is possible to adhere to a code of conduct or certi- 
fication mechanism. 

Data transfers are subject to the discretion of the data controller (“...has provided ap- 
propriate safeguards, and on condition that enforceable data subject rights and effective 
legal remedies for data subjects are available”). This means that the burden of proving 
that, by transferring personal data to third countries, the level of protection there fulfils 
the minimum requirements in the EU - first and foremost, that data subject rights are not 
prejudiced and that appropriate remedies are in place — lies upon the data controller. In 
such cases, a data transfer impact assessment, a risk assessment of the factors related to the 
transferral of data to third countries, may be needed to complement the DPIA or as a stan- 
dalone document. In this, the necessity, proportionality, and technical and organisational 
measures are evaluated, as well as the level of protection of fundamental rights. 


4.5 Data subject rights 


4.5.1 Right to be informed 


The transparency principle requires that any personal data processing should generally be 
transparent to individuals. To this end, the data controller is obligated to provide infor- 
mation to the data subjects. This holds whether personal data are collected from the data 
subject directly or have not been obtained from the data subject, but instead from third 
parties. Such an obligation does not depend on a request from the data subject.® Rather, 
the controller must proactively comply with the obligation, regardless of whether the data 
subject shows an interest in the information or not. 

A broad comprehensive obligation is established when communicating this informa- 
tion to data subjects.” As described in the transparency principle, data controllers must 
provide, at the time the data are obtained or prior to the processing, in concise, transpa- 
rent, intelligible, easily accessible, clear, plain and easily understandable language, all the 
necessary information, usually in the form of a privacy notice or a website privacy policy. 
This information is provided free of charge. Frequently, information on data processing is 
structured in such a way so as to respond to the following questions: Who are we? What 
data do we collect from you? Why are we collecting your data? How do we process your data? 
What are your rights? 
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4.5.2 Right of access by the data subject 


The right to access one’s own data (right of access) is a pivotal right® and is also set out as one 
of the elements of the fundamental right to the protection of personal data in the Charter 
of Fundamental Rights, i.e. in primary law.” The right of access gives individuals the right 
to obtain a copy of their personal data, as well as other supplementary information. It helps 
data subjects to understand how and why the data controller is using their data, and check 
whether this is being done lawfully. The data controller must provide, upon request by the 
data subject, at least information on the following: purposes of processing, categories of per- 
sonal data processed, recipients of the data, storage periods, existence of data subject rights, 
and the logic involved in automated processing of data, in the case of automated decisions.” 


4.5.3 Right to rectification 


EU law provides for a right to rectification of personal data.” The data subject shall have the 
right to obtain from the controller without undue delay the rectification of inaccurate perso- 
nal data concerning them. This right includes completing data which were previously incom- 
plete, or inaccurate personal data, which must be rectified without undue or excessive delay. 


4.5.4 Right to erasure (‘right to be forgotten’) 


Data subjects have the right to have their own personal data erased, pursuant to the prin- 
ciple of data minimisation.” This is applicable, for instance where the personal data are 
no longer necessary in relation to the purposes for which they were collected or otherwise 
processed, the data subject withdraws consent, or the data has been unlawfully proces- 
sed.” Nevertheless, this right is not absolute: it needs to be balanced against other bases, 
such as the freedom of expression, the public interest, scientific or historical research pur- 
poses or statistical purposes. 


4.5.5 Right to restriction of processing 


Data subjects are entitled to obtain from the controller restriction of processing of their 
personal data where the accuracy of the personal data processed by the data controller is 
disputed or is unknown, the processing itself is unlawful, the processing of personal data 
is not necessary for the purposes intended, or the data subject has objected to the proces- 
sing.” This right enables the data subject to limit the way that a data controller uses their 
personal data, often as an alternative to deleting them. 
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4.5.6 Right to data portability 


Applying the right to data portability essentially means that data subjects are entitled 
to have their personal data transmitted directly from one controller to another if this is 
technically feasible. This involves receiving the personal data in a structured, commonly 
used and machine-readable format and then transmitting those data to another controller 
without hindrance. The right to data portability is permitted when the lawful basis is eit- 
her consent or contract, and the processing is carried out by automated means.” 


4.5.7 Right to object 


Data subjects have the right to object to the processing of their personal data in certain cir- 
cumstances, such as where a task is carried out in the public interest, or in the exercising 
of official authority or legitimate interests. The right to object is raised to an absolute right 
in the case of direct marketing.” The right to object serves in striking the correct balance 
between the data subject’s data protection rights and the legitimate rights of the data con- 
troller. Furthermore, it constitutes a powerful weapon against profiling. 


4.5.8 Right not to be subject to automated decision-making, including 
profiling 


In principle, data subjects must not be subject to automated decisions that give rise to 
legal or similarly significant effects.” This right is passive, in the sense that it equates to a 
general prohibition and does not require the data subject to proactively seek an objection 
to such a decision.” 

This provision could concern, for instance, an automatic refusal of an online credit 
application or e-recruiting practices. Automated decision-making based on profiling may 
take the form of analysing or predicting aspects concerning the data subject’s performance 
at work, economic situation, health, personal preferences or interests, reliability or behavi- 
our, location or movements, etc. If such processing is conducted, it must be accompanied 
by adequate safeguards for the data subject, such as the right to obtain human interventi- 
on on the part of the controller, to express their point of view, and to contest the decision.” 


4.5.9 Data subject rights in border control 
The national DPAs supervise the application of the data protection rules in their respec- 


tive countries, while the EDPS monitors the application of the data protection rules for the 
central system managed by eu-LISA.* In accordance with data protection principles, all 
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individuals whose data is processed in the Schengen Information System II are accorded 
specific rights. These rights are: a) the right of access to data relating to them stored in 
SIS II; b) the right to correction of inaccurate data or deletion when data have been unla- 
wfully stored; c) the right to bring proceedings before the courts or competent authorities 
to correct or delete data, or to obtain compensation. 

Lastly, data subject rights do not always prevail, they are not absolute; restrictions may 
be imposed, particularly when other interests are at stake. Such restrictions shall respect 
the essence of the right to data protection (its core) and shall be necessary and proporti- 
onate measures in a democratic society. Common grounds for imposing restrictions on 
data subject rights are national and public security, prevention, investigation, detection or 
prosecution of criminal offences, defence, protection of judicial independence, and pro- 
tection of the data subject or the rights and freedoms of others. 
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5.1 Introduction 


5.1.1 Definition of ethics 


The two terms ‘ethics’ and ‘morals’ are sometimes used interchangeably in everyday lan- 
guage, but they are not synonymous. The concepts, originating from the Greek ethos and 
the Latin mores, respectively, both mean something like habit or custom. While the term 
‘morals’ refers to de facto habits, customs and traditions, ‘ethics’ refers to a systematic 
reflection, a philosophical critique, and an evaluation thereof. Ethics is understood for 
the purpose of this Chapter, in the context of border control, as a synonym for moral phi- 
losophy, which is a branch of philosophy that deals, roughly, with a rational and practical 
reflection on what conduct is good or bad and right or wrong. 

If ethics is defined as a systematic reflection on moral issues raised by emerging techno- 
logies, the purpose of this Chapter is to provide a toolkit to guide such systematic ethical 
reflection in the context of border control. In particular, the Chapter provides assessors 
with a list of recurring arguments (and recurring fallacies against which to evaluate them) 
that will allow them to assess the ethics component of the benchmark in the integrated 
impact assessment process. Thus, the structure of the Chapter is as follows: In the next 
sub-sections, some further introductory notions on ethics (its importance for society, his- 
torical development and literature overview) will be provided, including its importance in 
the assessment process and the actors involved in it. Section 5.1.2 will provide assessors 
with the key concepts to conduct the ethics steps of the impact assessment process accor- 
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ding to the Template included in Annex 1. The approaches that are often used at the level 
of applied ethics are explored, with specific examples from the context of border control. 
Moreover, a list of argumentative fallacies will be provided as tools through which to as- 
sess or complement these approaches. 


5.1.2 The importance of ethics for society 


Performing an ethics assessment involves, put simply, systematic moral reflections about 
how a given initiative can be ‘good’ and ‘bad, right and wrong, or beneficial and harmful. 
Recent technological developments have affected every dimension of people’s lives; social 
contacts, jobs, how they eat, travel, play, and so on. European values and moral norms have 
been affected in this process as well: concepts like autonomy, freedom and responsibility 
have been challenged and modified by the new affordances of technologies and socio-tech- 
nical infrastructures.' For example, identity is shaped by algorithmic profiling (with systems 
‘predicting’ people’s online behaviour and purchases) and biometrics (with people’s bodily 
parts becoming the most important identifier by which access to certain services is enabled). 
More concretely, research and innovation (R&I) efforts at the European Commission (EC) 
in the security domain are said to contribute to tackling ‘societal challenges’ such as fighting 
crime, human trafficking and terrorism, or strengthening security through border manage- 
ment.’ At the same time, the same technological developments resulting from R&I can lead 
to undesirable impacts on individuals and groups, distributing burdens and benefits une- 
qually.* New socio-technical arrangements create genuinely new challenges, some argue, or 
exacerbate existing societal problems, such as systemic forms of racism and discrimination,* 
thus requiring reflection in order to identify harmful effects and take action against them. 


5.1.3 The role of ethics in the benchmark 


Ethics, when framed within such a definition, can be of help in an integrated impact as- 
sessment process, not as an alternative to a legal assessment based on fundamental rights, 
but rather as an argumentative support. The scope of this Chapter is therefore the inte- 
gration of ethics of technology into the impact assessment process, with the intention 
of introducing a ‘how to’ method to assessing the uses and implementations of new and 
emerging border technologies. The ethical component of the impact assessment method 
is meant to support and/or expand upon the data protection component, which consti- 
tutes the ‘backbone’ of such a method" This especially means that, besides the necessity 
and proportionality assessment and risk assessment that are mandated by law as part of 
a Data Protection Impact Assessment (DPIA),° the integrated impact assessment method 
adds an ‘ethics assessment’ to the appraisal techniques, in order to further expand on the 
assessment of the risks to rights and freedoms of natural persons. Such an expansion gives 
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assessors a broader political and societal view on the impacts of border control technolo- 
gies in addition to individual data protection issues’ by also looking at arguments relating 
to the values these technologies aim to uphold, their (supposed) neutrality, or the unequal 
distribution of burdens and benefits among groups of people. 

However, assessors need to pay attention to the use of the term ‘ethics’ when it comes 
to assessing the impacts of emerging technologies. On the one hand, ethics is currently 
an inflated term or buzzword, used with different meanings depending on the interests at 
stake for specific groups. Reference to ethics can be made by academics, humanitarian or 
non-governmental organisations, civil society representatives, technology companies (e.g. 
the ethical principles of Google or Microsoft) or political institutions (such as the European 
Commission), with each pursuing possibly different - and even competing - goals. On the 
other hand, both academics and civil society organisations? have warned about the excessive 
use of ‘AI (Artificial Intelligence) ethics’ which could become an obstacle to traditional re- 
gulation, and a way of self-legitimising industry practices.’ Given the proliferation of ethics 
principles, guidelines and methods in recent years,’ assessors may be provided with tools 
that can guide them throughout the assessment process and, more generally, can consider 
the current debates, without the risk of considering ethics an empty signifier. Before turning 
specifically to the approach of the integrated impact assessment method, however, it is useful 
to quickly look at the historical development of applied ethics and ethics assessment tools. 


5.1.4 Historical development of applied ethics 


The historical roots of the word ‘ethics, as part of a philosophical enterprise, can be traced 
back to Ancient Greece, to the work of Plato and Aristotle in the 5" and 4" centuries BCE, 
among others. In the West, ethics remained for centuries predominantly a matter limited 
to philosophical discussion." 

Until recently, then, ethics primarily had an academic and theoretical role. In the se- 
cond half of the 20" century, however, ethics, first and foremost in the form of bioethics, 
began to acquire a political and institutionalised role.’? The main explanation that is of- 
ten given for this political turn is the increased risks associated with research on human 
subjects through biotechnical medicine. However, this explanation is overly simplistic. 
An additional explanation is that the rise of institutionalised ethics reflected the need to 
establish a more open dialogue between science and society.'* Since the 1970s, the EU has 
sought to strike a balance between facilitating and promoting science on the one hand and 
respect for the pluralism of European values on the other, as a response to value conflicts 
in areas including medicine and food and agriculture.” 

Following bioethics, computer ethics, environmental ethics, and, more recently, ro- 
bo-ethics, big data ethics and AI ethics proliferated as forms of ‘applied ethics; i.e. forms 
meant to address specific challenges in different domains by applying rigorous philosop- 
hical reasoning in an attempt to solve moral dilemmas or guide decision-making. Applied 
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ethics involves an inter-disciplinary discussion, often outside academia, and related to 
policy making and decision-making processes in private (e.g. companies) or public insti- 
tutions (e.g. research committees or advisory bodies). 

Among the methods for performing applied ethics, ethical technology assessment and 
ethical impact assessment have emerged as new anticipatory methods (i.e. techniques of 
anticipatory governance to tackle impact of technologies before they materialise), as well 
as approaches such as Responsible Research and Innovation (RRI), to combine the more 
strategic and technical dimension of R&I with the more normative one of responsibility.” 
Such anticipatory and responsible approaches have opened up the topic of ‘ethics’ to a 
multi-disciplinary arena of actors, instead of keeping it confined to the realms of philosop- 
hers or academics. 


5.1.5 The profile for assessing ethics 


Today, the landscape of applied ethics is multifaceted. Compliance with ethics require- 

ments, depending on the initiative, may be assessed by a variety of bodies such as: 

- Research Ethics Committees (RECs), at public (e.g. universities) or private (e.g. com- 
panies) organisations, which calculate the risks and benefits of a given initiative and 
ensure participants give informed consent,!* 

- National ethics committees or councils,” at EU or Member State level, or 

- Groups of ethics experts recruited in an ad hoc manner.” 


An integrated impact assessment process, however, requires a team of assessors that works 
together across several domains. Looking at the composition of ethics committees and 
ethics advisory boards, members may be drawn from medicine, business, engineering, 
computer science, or elsewhere, depending on the field to which ethics is applied. It is 
therefore a challenge to identify the profile required to perform the ethics steps of the 
integrated impact assessment process. 

There are no clear-cut solutions to this challenge. Moreover, giving a definitive ans- 
wer to these questions would risk making ‘ethics’ a type of expertise inaccessible to some 
profiles. Instead, engaging in ethical discussions is, and should be, open to different pro- 
files, provided that assessors are open to critical thinking (including in their own daily 
activities) and willing to familiarise themselves with the key concepts provided in Secti- 
on 5.2. In any case, assessors with a background in humanities, and more particularly in 
philosophy (specialised in philosophy of technology, applied ethics, RRI), social sciences 
(specialised in surveillance studies, critical security studies or science and technology stu- 
dies) or law and technology (including criminology), might need less effort to acquaint 
themselves with the approach described here. 

If in the team of assessors there are no persons able to carry out this part of the assess- 
ment process, or it is not possible to hire extra personnel to carry out the assessment, this 
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could mean two main things. First, it would provide an opportunity for personnel of the 
institution in charge of the assessment to be encouraged to acquire new expertise through, 
for example, training. Alternatively, it may offer a chance to open up the assessment pro- 
cess to stakeholder involvement, for example through the team of assessors organising 
events or sessions with external experts or members of the public who can provide rele- 
vant input or support. 


5.1.6 Literature overview 


Despite recent tendencies of coupling and blurring ethical and legal considerations of 
technologies in areas such as security research,” ethics and law are better understood as 
distinct, with each having its own questions and approaches.” This separation is reflected 
in the benchmark of the integrated impact assessment process. The interdisciplinarity of 
ethics, however, coupled with the fact that there is no specific ‘ethics of border control 
technologies, (as there are, for example, bioethics, business ethics and computer ethics as 
established forms of applied ethics), might confuse assessors when it comes to choosing 
instruments (texts, methods, techniques) to support the assessment process. However, 
there are at least two groups of sources that could provide support to assessors. These are: 
A. Generic anticipatory or assessment methods that can be applied to the case of ethics 
of border control. A plethora of methods by which to undertake ethics in R&I exist, 
but the main groups can be classified in: 

e Ex-ante methods, i.e. aiming at addressing ethical issues at an early stage of the 
R&I process, such as Ethical Technology Assessment,” Pragmatist New and 
Emerging Science and Technology (NEST) ethics,” or scenario approaches;”” 

e Intra methods, taking place at the design or testing phase, like Value-Sensitive 
Design,” ethical impact assessment, or mediation theory;” or 

e  Ex-post methods, i.e. those performed on concrete applications of already-finis- 
hed R&I processes, like checklist approaches or principle-based ethics.*° 

B. Texts by scholars and activists*' who address issues of surveillance and management 
of ‘smart border’ solutions,” which can help assessors to identify recurring arguments 
in the assessment process. In particular, the following are to be considered recurring 
challenges:* 

e Reduction of dynamic and biographical identity of travellers to static biological 
samples;** 

e Creation of ‘technologies of power, which enable institutions to control citizens 
and exploit their bodies; a dark side to the promise of more efficient and objective 
identification practices;* 

e Excessive economic costs of border control technologies in comparison to the 
advantages they bring, such as high maintenance costs, technical seatbacks, or 
difficulty in adjusting to regulations;*° 
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e Increased chances of vulnerabilities such as hacking, identity theft and manipu- 
lation of data;*” 

e Risks of discrimination and replication of racial prejudices, especially concerning 
the treatment of citizens from third countries, who often need to undergo extra 
checks and, depending on their ethnicity or social background, might be more 
readily associated with terrorism or smuggling.” 


5.2 Ethical arguments and fallacies 


5.2.1 Ethics and technology arguments 


This Section presents a list of ethical arguments that assessors need to identify, analyse and 
assess.” The list includes the most recurrent arguments (and related counter-arguments) 
that are prevalent in the literature and in public debates on border control technologies. 
Engaging with ethical arguments is not a standalone exercise, but an argumentative sup- 
port to the legal and social acceptance aspects of the integrated impact assessment process. 

Universality of principles and/or values: A technology is developed on the basis of va- 
lues or principles that are assumed to be universal. The idea is that there is a set of ‘core’ 
of principles that are applicable, or values that are shared, across cultures.” In turn, from 
these values, one can ‘deduct; a priori, a core number of universal principles (4 in the case 
of bioethics) that are applicable in any practice. The same arguments are replicated today 
in the fields of Artificial Intelligence (AI)” and biometrics,” both of which that have been 
utilised in border control. Opponents of this argument stress that people might disagree 
on what values or principles count. In this case, values or principles might apply only to a 
specific situation (or culture, or even technological context), but not to another. A bigger 
problem is that principles and values might be dictated or decided upon by those who are 
already in power, and later ‘exported’ to other (more specifically, more vulnerable or less 
powerful) people, under the alleged assumption of universality. 

Technological determinism: A technology will inevitably bring about some positive or 
negative effects. This argument can take optimist or pessimist forms. Technology opti- 
mists argue in favour of technological developments as a panacea for long-lasting so- 
cial problems. Almost any form of technological progress will bring about some social 
progress, including in the context of border control. Biometrics and smart borders, for 
instance, are often seen as a ‘silver bullet’ for identification: they are portrayed as more 
reliable, accurate and efficient than traditional means of identifying people. They can ‘sol- 
ve’ problems of airport security (by identifying potential threats) or migration flows (by 
speeding-up border checks). Technology pessimists instead insist on the negative effects 
of technologisation, often with nostalgic tones. Technology is a form of alienation, and a 
deterministic force than cannot be stopped. It makes humans interchangeable forces, and 
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takes away their individualism. One form of alienation in border control stems from the 
massive use of biometric systems. A rich and dynamic identity of a person, which includes 
their personal story, interests or personality, is flattened over their static bodily identity, 
represented by a digital token (e.g. a fingerprint, facial image or retinal scan).* 

Neutrality of technology: Per se, technology is neutral, that is, it is neither beneficial nor 
harmful: it depends on the use that is made of it to achieve a certain goal. An example is 
Live Facial Recognition (LFR)“ deployed by some national law enforcement authorities, 
such as the London Metropolitan Police (UK), the police in Hamburg and Berlin (Germa- 
ny) and in Nice (France). Some would claim LFR is neutral: it can be used responsibly to 
make public spaces safer, by preventing and investigating criminal offences, but it can also 
be misused, e.g. when its use is not strictly necessary or it has detrimental effects on a per- 
son that is wrongly identified as a criminal.“ However, many oppose this neutrality thesis 
as too simplistic. Technological artefacts cannot be considered in isolation, but always as 
parts of social worlds. In other words, there are no such things as technological artefacts 
in and of themselves, but they always mediate and are mediated by society.“ For example, 
programmers already project (willingly or not) certain possible uses, values or biases upon 
a technology, for example, amplifying racial hierarchies. Consequently, technologies 
could have unforeseen effects or uses that were not considered at the design phase, or that 
are not strictly related to the original goal. For instance, higher rates of misidentification 
by LFR algorithms could lead to disproportionate interference with certain ethnic groups, 
e.g. through unnecessary police stops and requests to show proof of identity.” 

Arguments from precedence: New technologies are not really ‘new; but rather they re-pro- 
pose the same benefits and challenges of older ones. In the case of border control technologies, 
in a positive sense, an analogy is often made between biometric and non-biometric passports 
or identity documents. Identity documents have existed for a long time, and people have be- 
come accustomed to them; biometric documents do not pose additional problems (they are 
still vulnerable to, for example, theft and falsification); therefore, one should not worry about 
identity documents that include biometric features.” Opponents of the argument of precedent 
claim that the changes of emerging technologies are so disruptive, rapid and large-scale that 
the analogy with precedent technologies no longer holds.” Since biometric systems might 
collect a huge amount of data, combine different types of biometric samples (e.g. fingerprint, 
retina, gait, voice, etc.) and store them in possibly interoperable databases, the purpose(s) of 
which might not be clearly defined in advance, they are worthy of greater attention. 

Change of ethical values: Technologies change our values, leading to moral progress or 
moral decline.” Some argue that technologies help people to progress ethically, e.g. to take 
better decisions in ethical dilemmas, act according to higher ethical standards, or better 
discern values and principles at stake. This happens both at an individual and a societal 
level. For example, in the context of border control, biometric identification techniques 
could be seen as enhancing the impartiality of border checks. The process of recognition 
is carried out by automated systems, thus boosting the fairness of the outcomes. The idea 
is that, while people can have biases, automated machines do not, and are consequently 
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more equitable. Newer verification systems based on a combination of biometric traits are 
also seen to outperform the current limitations of other automated biometrics, such as 
fingerprinting, in terms of neutrality and reliability. Opponents of the argument of ethi- 
cal progress stress instead how, despite cases of progress in recent years, ethical decline 
has also taken place. Considering something to be ‘progress’ is highly dependent upon a 
specific point of view: what counts as progress for one person might not for another. Tech- 
nological developments often increase inequalities between areas of the world and groups 
within society, enhancing the welfare of the Western countries at the expense of the Global 
South, or making big companies richer at the expense of unaware customers.” Moreover, 
machines and algorithms are designed by humans, and as such they can embody prejudi- 
ces and biases subconsciously introduced by their programmers.™ 

Slippery slope: Using a metaphor, once one makes the first steps on the slope, it beco- 
mes impossible to stop until bad consequences happen. In relation to technology, the idea 
is that some relatively innocuous or small-scale technological developments could bring 
about, if developed on a large scale, a cascade of uncontrollable and unpredicted negative 
effects.” Alternatively, technology supporters might claim that if a new technology is not 
implemented now, people will suffer all types of terrible consequences. Opponents of this 
argument say that people are able to escalate easy generalisations from one specific case to 
multiple ones; that there is no convincing evidence that simply allowing some exceptions 
to moral rules will bring about a collapse of the whole system of rules; finally, that the 
possibility of exceptions does not necessarily mean that these exceptions will also occur 
on a larger scale. 

‘Function creep’: In short, function creep means the use of a specific initiative (e.g. a 
border control technology) for a purpose for which it was not originally intended." With 
reference to biometric technologies, storing biometric data in a central database might 
permit that such data are (re-)used for purposes not initially foreseen, like profiling or 
criminal investigations. An example is when Europol and law enforcement agencies were 
granted access to the information stored in the Visa Information System (VIS) for detec- 
tion and investigation of terrorist offences.” This is not in line with the original purpose 
of the system,” which was established in 2004” to improve the management of a common 
EU visa policy and to enhance the security of visas. However, in 2008, when the Regulati- 
on for the VIS was adopted,” access was granted under certain circumstances, a purpose 
that was not foreseen when the system was established in 2004.°! 


5.2.2 Normative ethics 


A specific subset of ethical arguments is related to normative ethical positions. Roughly, 
the crux of this issue is which specific ethical rules should govern conduct. This Section 
follows a tripartition between deontological, consequentialist and distributive justice ar- 
guments.” 
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Deontological arguments define rules on the basis of fundamental moral principles. An 
action is considered to be ‘morally right’ if it conforms to certain principles, rights, duties, 
prohibitions, or responsibilities, and/or if the actor has certain intentions, regardless of 
the consequences of such action. Roughly speaking, the definition of duty precedes that 
of what counts as good "7 Deontological arguments can be also weaker (admitting excep- 
tions or performing balancing between principles or duties) or stronger (requiring moral 
integrity and no exception, with certain actions being categorically prohibited). The main 
examples of deontological arguments in the technological domain are drawn from princi- 
ple-based ethics, human rights and codes of professional conduct. 

e Inprinciple-based ethics, principles are abstract action guides (do x), but sometimes 
they can also categorically prohibit a certain action (don’t do y). As a concrete exam- 
ple, the High-Level Expert Group on AI defines their principles as ‘ethical imperati- 
ves’ that AI practitioners should always strive to adhere o" 

e Inhuman rights ethics, human rights are moral entitlements that any person has and 
that have to be considered before the consequences. Sometimes, fundamental rights 
enshrined in legal texts® are also taken as foundations of ethical principles in the pu- 
blic discourse, such as in the EU’s debates on privacy and new technologies.‘ 

e In codes of professional conduct, sets of rules or principles exist that should guide 
the conduct of practitioners when exercising their profession. Codes of conduct can 
be written by companies, but also by professional associations. One of the earliest 
expressions of professional ethics is the Hippocratic Oath, which has been used in the 
medical profession for centuries. Examples of codes of conduct can also be found in 
border control.” 


The main shortcomings of deontological rules are that they are often difficult to live up 
to, they require a strong commitment, and they admit few-to-no exceptions. Also, there 
is often a gap between abstract principles and more concrete situations, which makes it 
difficult to apply the principles. To overcome the rigidity of deontology and its vagueness 
in guiding action, consequentialist arguments are often offered as alternatives. 

Consequentialist arguments (among which: utilitarian) state that actions are right or 
wrong only on the basis of their outcomes (i.e. consequences). In other words, among the 
possible actions available, one chooses the option that maximises the expected outcomes 
(or degree of utility). Thus, contrary to deontology, there are no a priori wrong acts (e.g. 
murder) and an act is right whenever it is the one that produces the best possible conse- 
quences relative to any other. Consequentialist arguments can take many forms, depen- 
ding on how the consequences or degree of utility are quantified: for example, in terms 
of pleasure, satisfaction of preferences or economic factor. Consequentialist arguments 
fit well with risk-based approaches and cost-benefit analyses precisely because they offer 
more quantitative, calculable ways to solve moral dilemmas. 

To recognise a consequentialist argument, a rule-of-thumb could be to look at whether 
a trade-off is proposed. A classic trade-off in border control discourses is that of security 


89 


Border Control and New Technologies 


versus privacy: surveillance technologies require the giving away of some privacy (e.g. 
by allowing the processing of one’s sensitive data and sharing them with third parties) in 
exchange for extra security (e.g. less risk of identity theft, less risk of dangerous people 
entering a plane). 

Trade-off discourses can be criticised for being overly simplistic: problems that are 
presented as mathematical, quantifiable and objective are in fact value-laden. The risk of 
these discourses is that political conflicts and power asymmetries are reframed as mere 
technical ones.” For example, it could be shown how, in a specific case (say, the introduc- 
tion of a system of new-generation cameras at an airport), privacy and security should not 
be understood as an abstract trade-off, that can simply be solved by using metrics that as- 
sign a numeric value to privacy and another to security. The language of trade-off” is often 
enforced in contexts (cultures, organisations) that systematically favour security (e.g. to 
defend travellers from terrorist attacks), while both privacy and security could be enfor- 
ced without losses for either of the two.” Another criticism is that consequences are often 
uncertain and not easy to predict, especially when it comes to emerging technologies. A 
classic example is environmental consequences of technologies, for instance how the use 
of cars has increased pollution in cities. Finally, consequentialism fails to take seriously the 
distinction between persons,” since what counts is the aggregate results of consequences, 
also at the cost of serious damages for small groups of people, like minorities. This is a 
problem in border control, where technologies are often beneficial for large groups of peo- 
ple (bona-fide travellers) but can be unavailable or detrimental for smaller groups (third 
country nationals, high-risk categories, or refugees). 

Distributive justice arguments” state that an action is deemed morally problematic whe- 
never some benefit to which a person is entitled is denied (without any compelling reason) 
or whenever there is an unequal distribution of benefits and burdens. 

Justice arguments can take a more positive or negative stance. In a positive sense, it 
can be admitted that, at first, the distribution of a new technology is not proportionate. It 
is inevitable that a small amount of people could initially benefit from it, but eventually 
everyone will profit from it. A small group ‘paves the way’ for the more large-scale use 
of technology. In a negative sense, the same biometric features and identification tech- 
nologies that are used can be indeed quite convenient and efficient for some, but they 
are also used to restrict the movement of others by those who are in power.” This could 
lead, on the one hand to the reinforcement of privileges of some groups (like EU and US 
citizens) and, on the other, to the increased discrimination against other groups (like 
asylum seekers). An example of this is the old Fast Low Risk Universal Crossing (FLUX 
Alliance) traveller program for US and Dutch frequent intercontinental travellers, which 
is based on biometric identifiers including fingerprints and retinal imaging.” So-called 
‘low risk passengers, i.e. with no criminal records, customs or immigration conviction, 
can apply for the program. If the interview and security threat assessment is successful, 
they can have, at the cost of paying an additional fee, the advantage of skipping queues 
and border checks. 
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5.2.3 Types of ethical fallacies 


As shown in the previous Sections, ethical arguments can always be criticised. One way 
of showing that an argument is not convincing is to demonstrate a deficit in the structure 
of the argument (also known as a logical fallacy). A fallacious argument is a reasoning 
that seems convincing at first, but is based on weak assumptions, and/or the conclusions 
do not follow from the premises. The list of fallacies provided here is tailored down to 
ethical arguments relevant for the context of border control, which are therefore referred 
to as ‘ethical’ fallacies. The list could give assessors some critical tools to challenge what is 
usually taken for granted or under-emphasised in public discourse. 

The list below is not exhaustive, but was selected on the basis of application to the argu- 
ments outlined in Section 5.2.” Taking inspiration from this list, assessors could expand 
the list of fallacies for their assessments. 

Begging the question, or petitio principii: These are arguments that include in their pre- 
mises the argument they aim to demonstrate. Such an argument is technically valid, but 
useless in demonstrating its conclusions. A classic example could be this: “The technology 
is ethical because it is compliant with ethical principles. In this example, the conclusion 
(i.e. the fact that a technology is ethical) does not add anything new to the premises (the 
fact that the technology complies with ethical principles). 

Ad hominem: An argument is refuted on the basis of the person (or company or insti- 
tution) that is proposing the argument. This argument is fallacious because it should focus 
on the merit of the argument (validity of premises, line of reasoning, clarity of exposition) 
and not on some (possibly irrelevant) qualities of the proposer. An example could be that 
“The ethics principles endorsed by Person X are unreliable because Person X is known for 
not respecting such principles in their private life. The argument can be fallacious, if it is 
not based on content or process to draw the principles endorsed by Person X, but only on 
the bad name that Person X bears in public discourse. 

Appeal to a (moral) authority, or ipse dixit: This is an argument where the opinion of an 
authority is used as irrefutable evidence to support the argument. For example, it can be 
said that ‘A technology is ethical because X said that’ or that ‘A technology is ethical be- 
cause it is compliant with the principle issued by X°. Reference to ‘moral’ authorities is not 
warranted here, since it is not clear who has established that an author or ethical advisory 
body is an authority, why they cannot be wrong, or whether the people who decided on the 
principle were democratically elected or chosen to do so. The argument is fallacious becau- 
se the soundness of the opinions of the authority are taken for granted and not questioned. 

Confusion of ethics and law: In these arguments, the boundary between the law and 
ethics is blurred. This can happen in both directions. ‘If a technology is legal, then it is 
ethical’ is fallacious, because the legal compliance of a technology does not automatically 
make it morally acceptable. But also, the converse is problematic ‘if a technology is ethi- 
cal, then it must be legal: This is questionable when it is consistently argued that ‘the law 
lags behind’ and cannot maintain the pace of technological development; therefore, ethics 
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is needed to go ‘beyond the law?” If ethics is not properly defined, and ethics principles 
are arbitrarily constructed, they may be in contrast with the law (e.g. with fundamental 
rights). 

Naturalistic fallacy: These arguments are characterised by the unwarranted deduction 
of prescriptions (X should ...) from descriptions (X is ...). Simply put, if something took 
place a number of times, it must be true: ‘If a country is implementing measures to deploy 
interoperable large-scale databases, then people should accept them. This is fallacious be- 
cause a normative conclusion (people should ...) is derived from descriptive premises (a 
country is implementing ...). To be sound, the argument needs to have both conclusions 
and premises either in the descriptive or prescriptive form. 

Ambiguity: A key word can assume multiple meanings. Usually, the correct meaning is 
deduced from the context, but when this is not the case, an argument can take different 
meanings, thus becoming weaker. An example is the use of the word ‘ethics’ as a subject of 
a sentence (‘ethics can help to, ‘ethics can contribute to, ‘ethics can clarify; etc.). For exam- 
ple: ‘Ethics will help the border guards to identify the risk of the biometric technology’ In 
this case, ethics can mean, for example, a specific training, a textbook, a set of arguments, 
or a group of ethics experts. But the problem is that it is unclear what type of ethics people 
are talking about, what type of ethics experts are involved, or who selected these. If this is 
not specified, the argument loses its force and can be misused. 

Privacy fallacy: ‘If you haven't done anything wrong, you have nothing to hide’ This 
argument is fallacious on many levels. First, not only do people that did something wrong 
need to be protected by privacy. Being exposed can carry risks, regardless of the fact that 
one has something to hide. For example, people might be discriminated against by banks, 
insurers or employers if their health records are made public. Second, one might not have 
done anything wrong, but still, due to a failure of the system, be found guilty or wrongly 
stigmatised as a criminal, only because they belong to a certain ethnic group. 

Appeal to emotion: These are arguments that appeal to the subject’s emotion in order to 
encourage them to accept arguments whose premises are weak or dubious. One example 
could be appeal to fear of anxiety of ‘external threats; like the need to develop invasive 
technologies against the menace of terrorism, in spite of the majority of terrorist attacks 
in Europe resulting from actions of internal ‘residual terrorists’ (e.g. far-right groups or 
separatists) and not of international groups.” 

Technocratic fallacy: These arguments take the form of ‘It is an engineering issue how 
X is dangerous; therefore, engineers should decide whether X is acceptable. ‘Dangerous’ 
could also be changed to ‘secure; ‘privacy-friendly, and so on. The argument is fallacious 
because engineers (or other experts) may be competent in deciding how X is dangerous, 
but not the extent to which it is morally acceptable. 

False analogy: These are arguments that use analogical reasoning; since something is 
morally accepted/acceptable in a certain case, then is must be accepted in a similar case, 
too. For instance, ‘Since biometric technologies have been accepted in criminal investiga- 
tions for their accuracy, then they must be used in everyday life too. Arguments like this 
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could be fallacious because the properties used to make the analogy are not relevant to 
drawing the conclusions. The reasons that make biometrics acceptable in criminal investi- 
gations are not the same as those that (would) make them acceptable in public life. 
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6.1 Introduction 


6.1.1 Definition of the social acceptance 


Social acceptance of technology is a concept that indicates the degree to which ‘a new 
technology is accepted - or merely tolerated - by a community’! Acceptance, in turn, 
refers to the act of receiving something that is offered, of giving an affirmative reply to 
it, and accommodating to it with approval.* In this sense, social acceptance differs from 
ethics and stakeholder involvement. To distinguish one from the other, ethics refers to a 
systematic reflection, a philosophical critique, and an evaluation of customs, habits and 
traditions in a given context.’ Therefore, while ethics is a normative concept, and as such 
requires mostly a desk-based research (although supplemented by stakeholder involve- 
ment), social acceptance, in turn, is a mainly empirical concept, and as such needs to be 
assessed on the basis of verifiable information or experience.* 

Yet, the two concepts — social acceptance and ethics — are interrelated and complemen- 
tary. What is portrayed as acceptable influences how people actually accept a technology. 
If, for example, the media say biometrics are acceptable despite the infringements of pri- 
vacy and other fundamental rights, this narrative can have an influence upon how users 
actually come to accept them. Vice versa, the way some people react to a technology may 
change what they consider to be ethically acceptable: the fact that some activists protest 
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against invasive surveillance methods, e.g. by covering their face in public spaces with a 
mask, can have an effect upon users that had not previously perceived a problem as having 
existed with such methods. On the one hand, a social acceptance assessment can help 
the assessors refine the list of arguments for the ethics assessment in Chapter 5. On the 
other, the recurring arguments included in the ethics assessment can act as an inspiration 
in the development of acceptance assessment techniques (e.g. formulating questions for 
questionnaires). 

Social acceptance and stakeholder involvement are also distinct concepts. The basic 
idea of the two concepts is to allow for wider representation. In the context of impact 
assessment, this translates into allowing multiple stakeholders’ to participate in the assess- 
ment process, opening up the process beyond the team of assessors. Also, the list of tech- 
niques is, in principle, the same, and their choice depends on the timespan and resources 
available, and the goal of the assessment. The execution of the techniques and their scope, 
however, differs. Stakeholder involvement is a broader concept: the idea is to involve any 
stakeholder in order to allow them to have a say on (ideally) every specific phase of the 
process in a continuous, ongoing manner (e.g. types of risks, how to assess risks, result of 
the threshold analysis, recommendations, etc.). In the social acceptance assessment, the 
idea is to assess how a more limited group of pre-defined stakeholders accommodates or 
gives a positive reply to a given initiative at a specific point during the assessment process, 
i.e. Step 5 of the integrated impact assessment process (Appraisal of impacts). 

Given these preliminary distinctions, the structure of the Chapter will be as follows: 
In the next sub-sections, some further introductory notions on social acceptance (its im- 
portance for society, historical development and literature review) and about the social 
acceptance component of the benchmark will be outlined, including its importance in the 
assessment process and the actors involved in it. Section 6.2 will provide the assessors with 
the key concepts critical in conducting the social acceptance steps of the impact assess- 
ment process according to the Template included in Annex 1. To do this, the perspectives, 
techniques and types of stakeholders, as well as common misconceptions about what so- 
cial acceptance is about, are explored. 


6.1.2 The importance of social acceptance for society 


The introduction of new technologies to society can give rise to widespread adoption, 
but also to episodes of discomfort, denial or even social resistance. Classic examples of 
the latter include the construction of nuclear plants or chemical factories that led to lo- 
cal protests.° In such cases, local communities might protest against top-down decisions 
that put their environment, health or local activities in danger. But similar episodes have 
happened with the introduction of surveillance and biometric technologies. For example, 
the EU-funded project iBorderCtrl (2016-2019), in which a ‘smart’ Automated Deception 
Detection System (ADDS) was being developed, was harshly criticised, by the press and 
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some civil society organisations for, among other aspects,’ its scientific developments and 
possible discriminatory outcomes.* From this it can be seen that sometimes technologies 
as such are not accepted by the public, even before the products are put on the market (e.g. 
during the research phase). In other cases, users do not adopt, or even actively ‘resist, new 
technologies until after they are introduced to the market, or they simply express their 
fears about potential misuse.’ 

An example is the use of Live Facial Recognition (LFR) by the police in public spaces in 
the UK. A survey by the Ada Lovelace Institute,” which was intended to assess the ‘public 
attitudes’ to LFR, showed some positive acceptance of the public towards its use. 70% of the 
respondents supported the use of LFR by police in criminal investigation, and 50% suppor- 
ted its use in airports in place of passport control.’ A similar survey of the London Policing 
Ethics Panel’? showed how 57% of the respondents thought the use of LFR by the police 
was acceptable and 75% that it would make it easier for the police to catch criminals.” 

The same research, however, also evidenced some tensions regarding the public attitu- 
de towards LFR in the UK. For instance, the report by the Ada Lovelace Institute shows 
how, of those interviewed, 36% ‘did not know anything about’ LFR and 48% ‘knew little 
about it.* On the use of LFR, 61% were uncomfortable with its use on public transport,” 
and the percentages of people wanting it to be deployed for purposes like tracking shop- 
ping behaviour, monitoring children at school or people at work were extremely low (be- 
low 10%).’* Similarly, the survey of the London Policing Ethics Panel showed how, overall, 
43% of the people surveyed did not think that police use of LFR was acceptable, and 50% 
responded that it would not make them feel safer.” Moreover, 41% reported that they saw 
it as being invasive of people's privacy’* and 81% responded that they believed the ways in 
which police collect personal data should be strictly controlled.” 

Debates like the one on LFR have shown that taking into account a nuanced perspective 
of public perceptions of emerging technologies is relevant, even if the results on perfor- 
mance, reliability and cost efficiency are encouraging. Like in the UK, introducing surveil- 
lance technologies without a proper public consultation might raise public outrage and 
political criticism.” Failing to take these considerations into account early on may give 
rise to negative impacts not only on policymakers and industries developing technologies 
(in regard to which strategies or products cannot be thoroughly implemented or delayed, 
or which image might suffer reputational damages), but also on the public, who may not 
be aware of how they work and their risks, may not trust the private sector, or may not 
unconditionally support their deployment. 


6.1.3 The role of social acceptance in the benchmark 
While there are already well-established forms of data protection impact assessment, pri- 


vacy impact assessment and, to a lesser extent, ethics impact assessment,” which together 
constitute the other components of the benchmark of the integrated impact assessment 
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method, there is no such a thing as ‘social acceptance impact assessment. Incorporating 
social acceptance into an integrated assessment method for border control technologies 
has to date not been attempted. 

The reasons for social acceptance being part of the integrated impact assessment me- 
thod are complementary. First, the method broadens its scope beyond traditional me- 
thods of assessing legal and ethical aspects of emerging technologies (traditionally more 
expert-based) and opens up the debate to ‘lay experts’ of the technology, especially tra- 
vellers themselves. 

Second, the concept of social acceptance can be, and has often been, interpreted in too 
narrow and instrumental a way, often as a way to self-legitimate a pre-defined technolo- 
gical program.” Even when performed robustly, assessing only de facto acceptance of a 
given initiative (with a dedicated method) is insufficient. The mere fact that (some) travel- 
lers accept border technologies is not enough to deem them ethically desirable or legally 
compliant. Therefore, social acceptance is only one part of the quadripartite benchmark in 
the integrated impact assessment process. 


6.1.4 Historical development of social acceptance 


Social acceptance did not play an important role in the history of impact assessment,” 

but the concept of social acceptance developed in several disciplines, most notably psy- 

chology, and has recently been studied extensively in relation to technologies. There are at 
least two main strands to consider: 

A. Information Technology (IT) acceptance research: This strand has roots in psycho- 
logy, sociology and Information Systems (IS) literature. The research carried out in 
this area stems from the idea that, while the presence of IT has increased dramatically 
in organisations since the 1980s, IT first needs to be accepted and used by employees 
to be beneficial for the same organisations. Explaining the mechanisms behind ac- 
ceptance and usage of single technologies resulted in the creation of several theore- 
tical models, which are nowadays used and refined in multiple domains like, among 
others, health IS, bioinformatics and social networking” to predict the technological 
behaviour of certain users in a given context.” 

B. Social acceptance of energy projects and other large-scale infrastructures: This strand 
stems from practical policy and risk management literature, and takes into account 
the acceptance of both policies and politically contentious technologies. Rather than 
focusing on organisations and their employees, the emphasis is on the impact of dis- 
ruptive or risky technologies on local communities. In this sense, the concept has 
been widely used in a variety of fields since the 1980s (e.g. nuclear waste management 
or carbon capture and storage), but more recently it has become a crucial point of 
discussion in social sciences debates around renewable and wind energy.” 
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6.1.5 The profile needed for assessing social acceptance 


Since social acceptance is not regulated by law, there are no formal bodies or institutions 
in charge of supervising or assessing social acceptance, which is predominantly an enter- 
prise carried out by individual researchers or groups. 

Even by restricting the analysis to the two strands outlined in Section 6.1.4, researchers 
on social acceptance will still be drawn from multiple domains. At the same time, there 
is no specific profession or role that manifests an expertise in social acceptance of border 
control technologies. This might create confusion when composing the team of assessors. 

Differently from ethics, some ‘hard skills’ are needed to perform a social acceptance 
assessment, although the extent to which this is the case depends on the techniques that 
are selected, as some techniques may require greater levels of specialisation than others. 
Given the sources referred to in this Chapter, assessors with a background in psycho- 
logy, social sciences and information studies would possess a robust set of quantitative 
and qualitative methodological skills for performing the assessment. Alternatively, or as a 
complement, having a background in the humanities is also useful, and more particularly 
in philosophy or law and technology (including criminology). These latter profiles, howe- 
ver, may need some more time to become acquainted with certain traditional stakeholder 
involvement techniques.” 

As for the case of ethics, the team of assessors may have no persons able to carry out 
this part of the assessment process, or it may lack the possibility to hire extra personnel 
to execute it. This could mean two main things. First, it could be a good opportunity to 
encourage some members of the institution in charge of the assessment to acquire new 
expertise through, for example, training. Alternatively, it is a chance to open up the assess- 
ment process to stakeholder involvement, i.e. the team of assessors may organise events or 
sessions with external experts or members of the public who can provide relevant input or 
support in the social acceptance assessment. 


6.1.6 Literature overview 


Unlike personal data protection, privacy and ethics, social acceptance of technologies 
is neither a well-established (academic) field within a clear-cut academic discipline, nor 
does it have a tradition of dedicated methods and techniques in the context of impact as- 
sessment. Yet, established scientific methods for the assessment of social perceptions are 
of direct relevance. To give a short overview, the two strands identified in Section 6.1.4 can 
be related to the context of border control: 

Information Technology (IT) acceptance research: The most commonly used models 
that promote this approach are the Technology Acceptance Model (TAM)” and the Uni- 
fied Theory of Acceptance and Use of Technology (UTAUT).* The latter is inspired by the 
former, and many other models have been proposed in between. TAM and UTAUT were 
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first developed to assess acceptance in IS, subsequently spreading to other field like health 
IS, bioinformatics and social networking.” The main feature of TAM and UTAUT is that 
of predicting the intentions of a user in their use of a technology and explaining the subse- 
quent usage behaviour. The basic methodological idea is that there are several constructs 
that determine usage and acceptance, such as perceived usefulness or ease of use, and that 
these can be studied empirically. Despite their success, such models have been simultane- 
ously criticised for being both overly complicated and overly simplistic. They are deemed 
overly complicated because they take into account too many independent variables (or 
constructs) at once, without clearly defining the relationships between them, while they 
are deemed overly simplistic because they overlook the fact that group, social and cultural 
aspects also play a role in technology acceptance.” 

Social acceptance of energy projects and other large-scale infrastructures: In the litera- 
ture on social acceptance of technologies in the energy field, in particularly wind energy,” 
it has been pointed out how social acceptance can be studied from the angles of three 
intertwined perspectives that touch upon different groups of stakeholders:™ 
1. A socio-political perspective related to policy and institutional frameworks and wider 

public opinions. This is social acceptance at the most general level, like that described 
in the surveys on LFR in Section 6.1.2. 

2. A community perspective related to residents and local authorities living in the sites 
of energy projects. This is about acceptance by local stakeholders related to the initia- 
tive, such as residents and local authorities. 

3. A market perspective related to the process of market adoption and innovation. This 
is not only about consumers (the more consumers accept, the more they are willing 
to switch to a new technology and buy), but also about investors and companies who 
develop technologies. 


Drawing an analogy from the case of border control technologies, in the early 2000s, au- 
thorities and policymakers found little reason to consult the public,” as there was nothing 
to debate and no opt-out from this large-scale experiment in the use of biometrics to 
manage mobility risks.** When the European Commission (EC), and especially the Di- 
rectorate-General for Migration and Home Affairs (DG HOME),” started focusing on 
the societal dimension of security technologies, the industry’s perspective played a major 
role: ‘the problems associated to the societal acceptance of security technologies results in 
a number of negative consequences. For industry it means the risk of investing in tech- 
nologies which are then not accepted by the public, leading to wasted investment. For 
the demand side it means being forced to purchase a less controversial product which 
however does not entirely fulfil the security requirements.** More recently, the EU and DG 
Home have been promoting different initiatives to include various stakeholders, and not 
only practitioners and industry.” 

When the focus on the market perspective prevails over the community perspective, 
the role of the wider public or specific communities could be reduced to that of being 
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informed or ‘convinced’ that these border solutions are the best possible alternatives 
available. This is the case when passengers, for instance, are merely considered from the 
perspective of customer satisfaction when asked about emerging security technologies.” 

To show the assessors that social acceptance plays an important role from all the three 
perspectives listed above, the next Section zooms in on some key concepts that will facili- 
tate assessors’ undertaking of the social acceptance assessment. 


6.2 Social acceptance concepts and misconceptions 


6.2.1 What social acceptance is about 


This Section presents a list of social acceptance concepts that the assessors need to consi- 
der in the assessment process. The list is based on the current discussions in the academic 
domains identified in Section 6.1. 


6.2.1.1 Engagement vs deficit model 

In technology discourses, when social acceptance is considered merely as an obstacle to 
overcome and as a necessary condition to support innovation, it is often assumed that op- 
position to technologies is due to an ignorance about or lack of information as to the bene- 
fits of the specific technology.” In studies of public understanding of science, this is referred 
to as the deficit model.” The deficit model assumes that an individual does not accept a 
type of (border control) technology because they lack an awareness of the advantages that 
such technology offers, like security, efficiency or convenience. The public therefore needs 
to be ‘educated’ by experts to become aware of the technologies in question and to be stee- 
red to trust them. The idea is that only if the public is correctly informed, then it could un- 
derstand the reasons behind the massive deployment of new border technologies. Relying 
on a deficit model could transform the acceptance assessment process into a mere self-legi- 
timating exercise, in which acceptance is assumed beforehand, and not subjected to public 
scrutiny. Opposed to the deficit model, according to the ‘engagement model, individuals 
are not only ‘instructed’ but involved in a dialogue with scientists and policy makers 17 The 
idea is to move the engagement ‘upstream; take the lay knowledge of the citizens seriously, 
and possibly achieve a two-way dialogue between the latter and scientists. 

The engagement model, however, has also its limits. Even when individuals are enga- 
ged, it is unclear whether they passively react to a pre-established political and technolo- 
gical agenda, or if instead they challenge the agenda itself. Engagement will always be 
somehow partial, as it is not possible to take all views into account from the start. Rather, 
engagement is a matter of trial and error. The goal is to conceive engagement as a way ‘to 
make visible the invisible, to expose to public scrutiny the values, visions and assumpti- 
ons that are usually hidden, which, in practice, involves asking questions like: “Why this 


105 


Border Control and New Technologies 


technology? Why not another? Who needs it? Who is controlling it? Who benefits from 
it? Can they be trusted? What will it mean for me and my family?.*° 

The fact that a technology is feasible does not necessarily mean that it is accepted or 
acceptable. Thus, questioning the very desirability of the technology’s goals and values, as 
well as the interests it will serve, is essential. Asking about acceptance is not merely collec- 
ting preferences about one or another feature or about perception of risks, but it is about 
recognising the normative and political choices by which the debate is framed.” 


6.2.1.2 Three types of perspectives 

It was noted above (Section 6.1.6) how at least three perspectives from which to study 

social acceptance have been identified; i.e. socio-political, community and market.“ For 

a comprehensive assessment, the assessors must consider all three perspectives, and — at 

the very least - not focus exclusively on the market or socio-political perspective. In the 

context of border control, these three levels mean the following: 

1. The socio-political acceptance is about the generic, aggregated acceptance of a border 
technology. It is about the attitude of the generic traveller who crosses a border cros- 
sing point. The assessors have already been warned about the possible pitfalls of an 
over-reliance on this level of analysis: there is no ‘generic’ traveller per se, but different 
travellers with competing interests and values. However, an analysis at this level could 
be a starting point from which to provide some preliminary input for the assessment, 
allowing the assessors to focus on more specific issues or groups. 

2. The community acceptance is the one that probably goes most unnoticed in border 
control technologies. Per se, community acceptance refers to the acceptance of local 
stakeholders. In the context of border control, this concept could be extended not only 
to the specific sites where a technology is being tested or deployed (e.g. a specific land, 
air or sea border of a specific country), but also to the specific (vulnerable) groups on 
which this technology is tested. Since vulnerable communities, such as non-citizens, 
might not have access to resources and human rights protections, it is more difficult 
for them to have a choice or a say in (not) accepting border control technologies. In 
turn, it is ‘easier’ for local authorities to exploit the situation and test technologies on 
them. Some authors have argued how the deployment of automated decision systems 
for migration and asylum purposes can be seen as a ‘human laboratory’ of high-risk 
experiments in automated decision-making.” Similar patterns have taken place in the 
EU, for instance in refugee camps at the EU’s external borders, like in Greece or Italy,” 
or elsewhere, such as in Canada.” 

3. The market acceptance is about the market adoption of a particular technology. It 
has more to do with how end-users (e.g. border police) are able to ‘switch’ from more 
traditional to more innovative technological solutions and accept this change as bene- 
ficial for their operations. As for any EU-funded Horizon 2020 research projects, the 
market acceptance is related to the exploitation of projects’ results, and could include 
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the assessment of possible skills shortages (e.g. among border guards), inadequate 
finances (e.g. to buy the technologies or build the required infrastructure), traditional 
value chains that are less keen to innovate, incompatibility between parts of the tech- 
nological system (e.g. for lack of standards), or mismatch between market needs and 
the solution.” 


6.2.1.3 Stakeholders 
Especially when the focus of social acceptance is on the socio-political and community 
perspectives, involving travellers is necessary to move to an upstream engagement model 
and avoid a deficit model of participation in which decisions are taken by experts and 
more powerful stakeholders (such as companies or governments). In fact, there are many 
different travellers to consider, each with local, regional and national conflicting interests 
and values.” Among them, acceptance may vary greatly depending on the group consi- 
dered, especially when it comes to border control technologies. An initial rule-of-thumb 
to guide the assessor would be to look at the traveller categories in the Schengen Borders 
Code,” which can be divided in two macro-categories:* 
- European Union (EU)/European Economic Area (EEA)/Helvetic Confederation 

(CH) citizens 
- Non-EU/EEA/CH citizens, including the sub-categories: 

e Refugees, 

e Travellers on a Schengen Visa, 

e Travellers with ETIAS travel authorisation, 

e Family members of EU citizens, and 

e Third country nationals enjoying the right of free movement under EU law. 


At the community level, not only EU citizens but also non-EU and even non-citizens or 
refugees are considered when it comes to social acceptance, because the latter categories 
are particularly affected and are more vulnerable to the risks posed by border technolo- 
gies. When it is not possible to engage with these categories, a valid alternative is to engage 
with their representatives or with civil society organisations that can give voice to their 
concerns (such as the NGOs that are part of the European Digital Rights (EDRi) network), 
or with institutions tasked with investigating issues relating to fundamental rights (such as 
the European Union Agency for Fundamental Rights (FRA)). 

There are also other stakeholders to consider at the community and socio-political level 
when it comes to acceptance, however, especially border guards and customs officers who 
need to operate the technologies. Asking border guards and customs officers about the ac- 
ceptance of technologies (e.g. whether they fear automated technologies would take their 
job away or whether they think such technologies would reduce their overall workload) 
is important, but should not substitute or be confused with the acceptance assessment of 
travellers. 
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On the market level, at the very least, industrial stakeholders, scientific experts and 
policy makers need to be taken into consideration. Industrial stakeholders could include 
technology or security service developers and providers. Scientific experts include people 
from academia and research institutes with a wide range of expertise, from hard sciences 
and applied sciences, such as engineering and computer science, to humanities, such as 
law, political science or philosophy. Finally, policy makers also include legislators and re- 
presentatives from EU bodies and agencies related to border control, such as the European 
Border and Coast Guard Agency (Frontex), the European Union Agency for the Operati- 
onal Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice 
(eu-LISA) or the EC’s DG HOME. 


6.2.1.4 Techniques and disciplines for assessing social acceptance°® 

In Section 6.1.2, surveys and questionnaires were given as examples of techniques for 
assessing acceptance and public attitudes toward a particular border control technology 
(LFR), but these techniques do not fit the different groups and perspectives detailed above 
in the same ways. In parallel, the same techniques can fit different levels of analysis, e.g. a 
questionnaire to assess market acceptance or socio-political acceptance. 

Surveys fit the socio-political level.” For instance, polls and questionnaires are very 
generic and give a useful and wide, but possibly superficial, input. Interviews, online plat- 
forms and study groups are also advisable, because they can provide more nuanced re- 
sults, but can also take more time to undertake, require greater expertise to be correctly 
executed, and only allow the collection of a smaller sample (in the same amount of time, 
just a few people can be interviewed while hundreds are able to complete a questionnai- 
re). When different groups of travellers are considered at the same time, they have the 
possibility to confront one another through methods like consultive groups, roundtables 
or workshops. To make the input of travellers more robust, participants could be asked 
to fill in questionnaires immediately after a facility tour or technology demonstration of 
the initiative under assessment (e.g. a video, a graphical representation, or simulation of 
a technology). 

For the community level, it is advisable to resort to interviews, focus groups, hotlines 
and consultive groups. These techniques allow the assessors to hear the personal stories of 
vulnerable people, and how each of them experiences their own individual challenges. This 
would involve the sharing of sensitive details, so it is advisable that formats where opinions 
can be given in an anonymised way, and without being revealed to a bigger group, be pro- 
moted. A questionnaire or survey would give overly generic results at this level, although 
it can be valuable to ensure anonymity if enough space is given to elaborate on specific 
questions (e.g. a preference for open-ended questions over close-ended ones, where the 
respondent can elaborate on their answer instead of picking from pre-selected options). 

On the market level, the assessors need to bring together stakeholders with different 
background and interests, and make them confront one another. Therefore, a plethora 
of other methods are advisable, including the Delphi process, workshops, roundtables, 
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scenario planning and/or advisory groups.” Furthermore, surveys and focus groups for 
market research, or market validation questionnaires, provide a valid alternative if limited 
time and resources are available for the assessment process. 


6.2.2 What social acceptance is not about 


The concept of social acceptance is often accompanied by a number of key assumptions in 

the public debate that serve to limit its scope. Including social acceptance in an integrated 

assessment process allows the assessors to look critically at these assumptions, in order to 
help the assessors perform a robust social acceptance assessment. Some of these assump- 
tions are listed below.” 

“The majority of people support the technology’: It is often emphasised in public sur- 
veys how support for border technologies or trust for authorities is high. The assumption 
of strong support and trust is then taken as a starting point for the discussion on the 
large-scale implementation of these technologies. Regardless of the fact of whether this 
has an empirical basis or not, a critical appraisal of these polls and surveys is sometimes 
lacking. Aspects to consider are, for instance: 

- Who commissioned the poll, since a polls goal and ultimate aim can be very different 
if it is commissioned by a company, a research consortium, a governmental organisa- 
tion or an NGO. A company producing technologies might place more emphasis on 
the positive results of a survey for its economic advantage, while an NGO fighting for 
the respect of human rights might be more interested in stressing the negative results 
on vulnerable populations. 

- How and by whom the questions are analysed, since depending on the message that 
one wants to convey with the results, certain relevant information might be underra- 
ted (for example the fact that awareness of how the technology works is very low), or 
certain not-so-relevant information overly emphasised. Findings can be presented as 
‘objective facts’ that can be quantitatively measured, not worth discussing, although 
there are a variety of subjective factors at play that cannot simply be reduced to nume- 
ric values.” Since the methods employed and the design of the study are decided befo- 
rehand, a bias to these can be introduced by the results that one wants to demonstrate. 

- The point in time when the surveys were conducted, since the timeframe of the rese- 
arch can influence the results of a survey. If people are asked about the acceptance of 
a nuclear plant immediately before and immediately after a nuclear incident, like that 
at Chernobyl, the results obtained from the pool would show a huge contrast. 

- The selection of the samples, to make sure that participants are selected in a representative 
way. If travellers were asked about a new technology introduced at an airport, the results 
would vary significantly if the interviewees were mostly white, European middle-aged 
men, with few women, elderly, people of colour or with disabilities being asked their opi- 
nions, to if the composition of the pool of those questioned were the other way round. 
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‘Social acceptance should be achieved for a greater goal’: In political debates about tech- 
nologies, there is often an assumption that social acceptance is an obstacle to overcome 
for the sake of another goal, be it innovation, industrial growth or public security. Accor- 
dingly, media and policy discourses ‘impose’ how technologies should be accepted at any 
cost for such greater goals. 

One example is the ‘biometrics imaginary’ that was first recently created in the US, and 
subsequently in the EU.” Especially in the wake of 9/11, a great number of initiatives were 
undertaken to increase security in the US and worldwide. Among these, interoperability 
efforts were taken as crucial to connect different databases and therefore fight terrorism 
(e.g. by sharing watchlists). Interoperability has been used in the collective imaginary as 
a crucial component of security, while cultural and legal barriers to its implementation 
needed to be overcome. In the EU, enhancement of border control and interoperability 
has been portrayed as a means by which to promote European integration, against poten- 
tial threats coming from external borders. Another example, outside the EU, is the case 
of the establishment of an Israeli national biometric database, as a result of the contro- 
versial Israeli Biometric Project (IBP).® The scope of the project was officially countering 
the forgery of ID cards and passports. Behind the official motivation, however, the idea 
was to create a national centralised biometric database to enhance surveillance. Despite 
the strong social resistance to the project, it was shown how a part of the Israeli press 
consistently constructed a legitimising discourse of threat to national security, portraying 
Israel as a vulnerable victim and ‘others’ (e.g. Iranians) as dangerous enemies.™ Motives to 
support the IBP included cultural motives central to Jewish-Israeli history. This allowed to 
create a convergence between two aspects of identity: a national, cultural Israeli identity 
and an administrative procedure of biometric identification. 

‘Opponents are ignorant’: This argument assumes too hastily that any form of oppositi- 
on equals ignorance or lack of expertise, and that the knowledge of experts is by definition 
more valuable than lay knowledge. It undermines legitimate forms of opposition that can 
stem from different reasonings than those of the purported advantages of the technology, 
for example a fear for the infringement of human rights (such as privacy) or other cultu- 
re-specific motivations. In fact, an increased level of knowledge or education could lead 
to a lower level of acceptance for certain technologies. Getting to know how one’ data are 
managed, how they are made interoperable and searchable, and how they could be mi- 
sused or misinterpreted, might increase the opposition to privacy-intrusive technologies 
among the broader public. If people are unaware or ignorant, by contrast, they might more 
passively accept such a technology and believe the advantages that are advertised to them. 
Some objectors to these technologies appear highly informed, for example certain NGOs 
in Europe, like the EDRi network, which includes, among others, Statewatch, an NGO 
that has published extensively on security and border control. Another famous case is 
that of the philosopher Giorgio Agamben, who, in 2004, having to travel to the US for a 
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guest lecture on a visa, decided to cancel the journey because he refused to have his fin- 
gerprint taken upon arrival.® Although some people do not accept border technologies, 
their position does not necessarily result from ignorance, and needs to be taken seriously 
in both public debate and policy choices. 

‘Opponents are threats’: Opposition to border technologies is also equated with threat, 
and, in turn, acceptance is an ‘antidote’ to such threats. Some groups of the public are 
excluded from engagement not because of their lack of knowledge, but because of the per- 
ceived risks they can cause, for example, in relation to public security (terrorists, political 
protesters, or activists), public health or irregular migration. In the case of border control, 
the threats are represented by so-called ‘high-risk’ travellers, who also evoke fear amongst 
the population. High-risk travellers, the argument goes, do not accept these technologies 
since they aim to evade these stricter controls, while ‘low-risk passengers, the category 
within which the vast majority of travellers and EU citizens fall, will accept them for the 
sake of public security, health and convenience. This argument assumes that there is a 
clear-cut distinction between low-risk and high-risk, which is in turn equated with a col- 
lective identity of ‘us’ (i.e. low-risk) vs. them (i.e. high-risk). While we tend to accept 
the technologies, they do not. However, the ways in which a person may end up being 
categorized as low or high risk are determined by opaque criteria that might reflect discri- 
minatory biases of the designers and border guards, such as racial biases.‘ The problem is 
that not all those who are labelled ‘high-risk are serious threats or potential terrorists, and 
therefore their reasons for not accepting technologies are grounded in bases other than 
evading stricter controls and pursuing their criminal intents. 

‘Acceptance is a matter of single technologies and individual users’: In many studies on 
social acceptance of technology in the fields of psychology and IS studies, an implicit as- 
sumption exists that social acceptance is mostly (1) an issue of individual users, and (2) 
a matter of single technologies.” These criticisms are also relevant to the case of border 
control technologies. Most individuals make judgements about technologies depending on 
perceived usefulness, motivations or expectations, but these are all conditional on social cir- 
cumstances and cultural identities.” For instance, in the case of the lie detector developed 
by the project iBorderCtrl, people from Western countries, who may be familiarised with 
lie detectors (e.g. from movies or books), could have, at first sight, few problems with them. 
However, the same might not apply to people whose way of communicating is different, for 
example when it is considered inappropriate to have eye contact with persons of the opposi- 
te sex.” Secondly, it is misleading to consider technological artefacts in isolation, regardless 
of the socio-technical systems in which they are introduced and, in particular, regardless 
of the political and power relations that are at play.” Acceptance in border control is never 
mere acceptance of an artefact that can make travellers and border guards’ lives more (or 
less) easy, but acceptance of a political architecture, as well: these technologies have to be 
used to strengthen the external borders of the EU and to better control migration flows. 
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7.1 Introduction 


7.1.1 The concept of border management 


The twofold goal of border management is to facilitate the efficient flow of bona fide tra- 
vellers while preventing the entry of irregular travellers.' Traditionally, border manage- 
ment encompasses an ensemble of activities aimed at controlling the flow of goods and 
individuals across borders, and administering immigration, migrant flows and asylum 
requests. At the European Union level, instead, the focus of the so called "integrated bor- 
der management" is rather on persons than on goods. Integrated border management is 
considered a necessary corollary to the free movement of persons and central to improve 
migration management (see infra). Its aims include efficiently managing the crossing of 
the external borders and addressing migratory challenges and potential future threats at 
those borders, while fully respecting fundamental rights.” In recent decades, the way in 
which border management in the European Union (EU) and in other Western democra- 
tic countries in general has been practiced has undergone significant changes, becoming 
increasingly technologised and digitalised. Traditional physical borders have been supple- 
mented by new digital borders in the form of large-scale information systems that target 
primarily the movements of third-country nationals,’ weakening the role played by the 
physical aspect of border management, including the actual crossing of territorial bor- 
ders? New border control technologies, which have become increasingly reliant on sys- 
tematic and large-scale processing of personal data, especially biometric data, have been 
deployed with the objective of enhancing the efficiency of mobility control and increasing 
security. Checks at territorial borders have become progressively automated and combin- 
ed with checks before and during travel, as well as after arrival, now commonly in place. 
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At the same time, geographical frontiers are increasingly surveilled in order to prevent 
their crossing by irregular migrants. Technological experiments in various domains of 
border management activities are being increasingly undertaken, with these ranging from 
predicting population movements in the Mediterranean and Aegean Seas by monitoring 
social media activities to applying artificial intelligence (AI) for risk-scoring purposes.’ 

These changes also concern the actors involved in actual border management. While 
border management has been first and foremost entrusted with specially trained state offi- 
cials (see e.g. Article 16 Schenghen Borders Code), due to the progressive externalisation 
and privatisation of border control (see infra), the role of non-national state actors, such as 
private companies (e.g. air carriers) and even individuals, as well as of supranational and 
international actors, such as the EU and its many agencies (e.g. Frontex), and even third 
countries, has increased.* At the same time, the technologisation of border control has 
amplified the importance of technology providers.’ The proliferation of technology and 
data actors has led to an increasingly complex regulatory framework governing border 
management in the EU, triggering at the same time criticism due to its possible detrimen- 
tal effects on fundamental rights, particularly data protection and privacy (see infra) and, 
consequently, on democracy and the rule of law. These three elements are inherently and 
indivisibly linked. While each one seems to operate independently of the others, separa- 
ting them in practice risks causing the system of values enshrined in Article 2 Treaty on 
the European Union (TEU) to collapse. 

The purpose of this Chapter is to support assessors in mapping the relevant legal and 
regulatory framework applicable to border control technologies and, therein, to emphasi- 
se those legal requirements - grouped into the three categories of data protection, privacy 
and ethics’! — that have to be complied with in order to assure, to the highest extent possi- 
ble, that border control technologies remain aligned with democratic principles, the rule 
of law and fundamental rights. 

Border management law, which encompasses a patchwork of European, national and in- 
ternational legal and otherwise regulatory instruments (see infra), represents a sui generis 
component of the benchmark against which border control technologies have to be assessed 
under the integrated impact assessment process as proposed in this textbook. Within this pro- 
cess, unlike the other elements of the benchmark (namely data protection, privacy, ethics and 
social acceptance), border management law is not per se a societal concern, but rather con- 
tains provisions that do protect societal concerns. In other words, from border management 
law, it is possible to extrapolate legal requirements enshrining data protection, privacy and 
ethics that, to be lawful, border control technologies must abide by. The adherence to these re- 
quirements is expected to enhance the social acceptance of the technology under assessment. 

The structure of this Chapter is as follows: Sections 7.1.2 and 7.1.3 will illustrate some 
of the fundamental rights and other societal concerns that can be affected by border ma- 
nagement laws and policies, as well as by border control technologies. Section 7.2 will 
delve into the historical development of border management law and policies in the EU. 
Section 7.3 will provide an overview of the legal and regulatory instruments regulating 
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border management law. Section 7.4 will focus on the actors involved in border manage- 
ment, and, finally, Section 7.5 will overview the data protection, privacy and ethics requi- 
rements enshrined in multiple components of EU border management law that may be 
relevant for the integrated impact assessment process. 

Border management laws and policies are instilled with certain values of a society, va- 
lues that vary depending on geopolitical and historical circumstances.” In other words, 
border management activities, policy goals and necessities are fluid and subject to change 
over time. They may promote the respect of fundamental rights, democracy and the rule 
of law, or conversely advance xenophobic and racially discriminatory ideologies. Given 
that border management is so heavily politicised, it is natural to assume that the utilisation 
of border control technologies is not neutral either. 


7.1.2 How border management laws and policies affect fundamental 
rights: the case of EU large-scale databases and their interoperability 


Several fundamental rights and other societal concerns can be affected by border ma- 
nagement laws and policies, as well as by border control technologies. This Section will 
illustrate some of them, using as a reference point the EU policies concerning large-scale 
databases and their interoperability that exist. 

Such EU large-scale databases presently include: the second-generation Schengen In- 
formation System (SIS II), the Visa Information System (VIS), the European Dactyloscopy 
(Eurodac), and the more recent Entry-Exit System (EES), European Criminal Records 
Information System for Third Country Nationals (ECRIS-TCN) and European Travel In- 
formation and Authorisation System (ETIAS). The EU established these with the aim of 
supporting border guards in controlling the external borders of the Schengen Area. 

In a nutshell, the SIS allows competent authorities in the EU to issue and consult alerts 
on missing or wanted objects and people. The VIS supports Member States’ consular 
authorities in the management of applications for short-stay visas to visit or to transit 
through the Schengen Area. The Eurodac supports competent authorities in determining 
the responsibility for examining an asylum application. In the near future, the EES will 
electronically register the time and place of entry and exit of third-country nationals, both 
those requiring a visa and those who are visa-exempt, admitted for a short stay, other than 
those refused to entry. The ECRIS-TCN will allow Member States’ authorities to identify 
which other Member States hold criminal records on the third-country nationals or sta- 
teless persons being checked. The ETIAS will constitute a pre-travel authorisation system 
for visa-exempt travellers, the key function of which is to verify if a third-country national 
meets entry requirements before travelling to the Schengen Area, enabling pre-travel as- 
sessment of irregular migration, security or public health risks. $ 

Although each EU large-scale database has its purposes and specificities,” their tech- 
nical architectures are similar. They are composed of a central system, managed by the 
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European Union Agency for the Operational Management of Large-Scale IT Systems in 
the Area of Freedom, Security and Justice (eu-LISA), a backup, a national system/interface 
in each Member State that communicates with the central one, and an (encrypted) com- 
munication infrastructure connecting them. National copies of the central system are fo- 
reseen for the SIS. All of these databases rely on the extensive processing of personal data, 
including biometric data (namely, fingerprints, palmprints, facial images, DNA profiles. 
Note that each database contains different types of biometric data).'* It has been esteemed 
that the SIS contains over 70 million alerts, the Eurodac more than 5 million fingerprint 
datasets, and the VIS over 17 million visa applications.” 

The official goal of the latest EU policies is that these databases will become interopera- 
ble. This interoperability scheme will build upon four components: a European Search Portal 
(ESP), allowing competent authorities to search multiple EU information systems simultane- 
ously (including certain Europol data and Interpol databases). This common search protocol 
will use biographical and biometric data; a shared biometric matching service (BMS), ena- 
bling the search and comparison of biometric data (fingerprints and facial images) from se- 
veral systems that store biometric templates; a common identity repository (CIR), containing 
biographical and biometric data of third-country nationals recorded in the Eurodac, VIS, EES, 
ETIAS and ECRIS-TCN; and a multiple-identity detector (MID), which checks whether the 
biographical identity data contained in the search exists in other parts of the shared system, 
thus allowing the detection of multiple identities linked to the same set of biometric data.” 

Many fundamental rights are affected by these EU large-scale databases and their inter- 
operability. Various actors, including the European Data Protection Supervisor (EDPS), the 
EU Agency for Fundamental Rights (FRA), NGOs and academia have noted, inter alia, that 
the processing of large amounts of personal data not only jeopardises the rights to privacy 
and personal data protection, but may have a larger impact on democracy and society as a 
whole. In particular, privacy, they argue, is an inherent value in liberal democratic and plu- 
ralist societies, in addition to being a cornerstone for the enjoyment of fundamental rights.” 

However, other fundamental rights, in particular the right to non-discrimination, are 
affected by these databases and their interoperability. As these databases mainly contain 
the data of third-country nationals, concerns have been raised over the fairness of EU 
laws and policies towards third-country nationals. The Court of Justice of the European 
Union (CJEU), albeit in a different context, highlighted that the coexistence of different 
data processing practices for nationals and for non-national EU citizens may be discri- 
minatory.” Certain analysts even doubt the legality of having different data processing 
practices for EU and non-EU citizens and whether this respects the essence of the right 
to personal data protection.” Other challenges derive from the technical architecture of 
the databases, which renders them prone to fragilities (e.g. technical failures, errors in 
software configurations, discrepancies between the central system and national copies, 
data quality of the entries, depending mostly on the work practices of their end users).” 
In addition to jeopardising the efficiency of the IT systems, some of these fragilities affect 
the rights of individuals whose data are stored in them. For instance, inaccuracy of data 
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or discrepancies between information stored national and central systems may lead to 
unjust administrative decisions against a person. The negative consequences of data inac- 
curacy are likely to be amplified by the impending interoperability of the EU large-scale 
databases. When combined with interstate trust, interoperability may legitimise national 
authorities to blindly rely on data stored in EU data systems, even when not accurate and 
up-to-date, instead of performing a careful examination of each case 

Furthermore, interoperability entails much more than interconnecting IT systems. It 
also implicates semantic, social, cultural, economic, organisational and legal issues.” Per- 
haps most importantly, far from being just a technical choice, interoperability entails a 
political approach that somehow blurs the lines between various policy goals (e.g. asylum, 
migration management, law enforcement, counterterrorism), risking, for example, a con- 
flation of the notions of “terrorist” or “criminal” used in public discourse with the legally 
defined notion of “foreigner” or "alen" The interconnection of technologies (and data- 
bases) also gives rise to the possibility of function creep, which could imply the expansion 
of surveillance and data collection functions into areas where they conflict with core data 
protection principles such as lawfulness, purpose limitation or data minimisation.” 

EU laws and policies related to EU large-scale databases and interoperability are not 
alone in facing criticism. Another phenomenon that has been put into question is the 
externalisation of border control, which refers to a “range of processes whereby European 
actors and Member States complement policies to control migration across their territo- 
rial boundaries with initiatives that realise such control extra-territorially and through 
other countries and organs rather than their own.” The externalisation of border control 
has been deemed particularly detrimental to the effective exercise of the right to asylum 
and the principle of non-refoulement.*! 


7.1.3 How border control technologies affect fundamental rights 


Just as border management laws and policies embed certain values of a society, so are 
border control (and digital) technologies unneutral. They can be deployed both to pro- 
mote the respect of fundamental rights, democracy and the rule of law and, conversely, to 
advance xenophobic and racially discriminatory ideologies.” Border control technologies 
are multiple and diverse. As a general rule, they may facilitate both border checks and bor- 
der surveillance activities. Border control technologies aimed at facilitating border checks 
primarily target individuals and rely on extensive personal data processing, whereas those 
used for border surveillance purposes focus on detecting events where individuals and 
groups are involved, which entails different risks for fundamental rights.* 

For instance, although border control technologies may not always rely on personal 
data processing, there is a risk that they will jeopardise other fundamental rights, inter 
alia, the right to asylum and to non-refoulement,* as well as the rights of minorities, who 
may inadvertently become the main target groups of border surveillance activities.” 
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One form of border control technology that is particularly challenging from a fun- 
damental rights perspective is the use of algorithmic profiling. In the context of border 
management, profiling is used mainly to identify known individuals based on previously 
collected data or as a predictive method to identify unknown individuals who may be of 
interest to border management authorities,** on the basis of risk indicators.” EU large-sca- 
le databases (in particular, the ETIAS) have come to increasingly incorporate algorithmic 
decision-making, including profiling functionalities (e.g. to determine whether an indi- 
vidual is to be determined a risk).** By analysing existing data derived from past experi- 
ences and statistical analysis, correlations between certain characteristics and particular 
outcomes or behaviours are established and used to draw conclusions, and make decisions 
about certain individuals.” Consequently, whereas profiling can be a useful tool, its use 
may lead biased outcomes, affecting, inter alia, equality, non-discrimination, privacy and 
data protection.” 

Equality and non-discrimination are also at stake, considering that the accuracy of cer- 
tain border control technologies (e.g. facial recognition) relative to parameters such as gen- 
der and skin tone, may give rise to discrimination.“ Border control technologies are, in this 
sense, prone to perpetuate human rights harms and exacerbate systemic discrimination.” 

The performance of the integrated impact assessment of border control technologies 
can help to minimise such negative consequences. 


7.2 The historical development of border management 
law in the EU 


As mentioned above, the essential twofold goal of border management (law) is to facilitate 
the efficient flow of bona fide travellers while preventing the entry of irregular travellers.“ 
To achieve this objective, multiple approaches are possible. 

For centuries, the so-called “nationalist approach” towards border control has been 
predominant in Europe.“ In a nutshell, such an approach, typical of modern states, con- 
ceives border control as a corollary of sovereignty and therefore a purely domestic matter, 
for which national governments are the sole responsible actors.“ The so-called Westp- 
halian (or modern) state system builds upon the idea that sovereign states possess the 
monopoly of force within their mutually recognised territories, which are delimited by 
borders.“ Considering that sovereignty for a state entails having control over the territory, 
the population and the goods therein, borders function as a kind of “filter”, demarcating 
“a portion of the globe that a centralised authority claims as its own and to protect it from 
external threats” Centuries after the Treaties of Westphalia (1648), the Montevideo Con- 
vention on the Rights and Duties of States (1933) still considers the territory, enclosed 
within borders, as a statehood criterion, together with population, government, and the 
capacity to enter into relations with other states.** 
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With the emergence of supranational institutions, the concept of sovereignty transfor- 
med. In Europe, with the process of European integration, the Member States of what is 
today known as the European Union (EU), started to transfer the execution of some of 
their sovereign competences at a supranational level, including those competences that 
relate to border management.” This conferral of these competences is a direct consequen- 
ce of the emergence of the Common Market and four freedoms of the EU, namely the 
freedom of movement of goods, persons, services, capitals (Title IV TFEU), which are, 
in turn, safeguarded by diverse policies within the Area of Freedom, Security and Justice 
(AFSJ), pertaining to, for example, migration (Title V TFEU). 

In the process of European integration, supranational cooperation has progressively ac- 
quired more and more power and competences in the field of border management. The sig- 
ning of the Schengen Agreement (1985) and of the Convention Implementing the Schen- 
gen Agreement (1990) have laid the foundation for the gradual abolition of internal border 
controls, homogenisation of visa policies, and implementation of a cooperating structure 
between internal and immigration officers, including the establishment of the Schengen 
Information System.” Yet, the two were international agreements, valid exclusively among 
the signatory states. The Treaty of Maastricht (1992), establishing the so-called three-pillars 
structure for the organisation of the competences of the European Union,” introduced for 
the first time the idea of European cooperation in the field of border management, although 
still based on inter-governmentalism.” The Treaty of Amsterdam (1997) went further by 
incorporating the Schengen rules, previously applicable only to the signatory states of the 
Schengen Agreement and the Convention implementing it, into the acquis communautaire; 
the body of common rights and obligations that are binding for all EU countries, as EU 
Member States.” With the Treaty of Lisbon (2007) and the abolition of the pillars structure, 
the intergovernmental approach in the field of border management was overcome, border 
management being nowadays entirely reconducted to supranational cooperation.™ 

Border management laws and policies in the EU build upon the assumption that, to 
ensure a high level of security and the freedom of movement within the EU, one of the 
necessary conditions is the strong and reliable (integrated) management of the movement 
of persons across external borders.” The progressive technologisation and digitalisation 
that has come to characterise the EU policies of recent decades is precisely intended to 
better-secure the EU’s external borders and streamline border crossing by becoming in- 
creasingly reliant on automated information-sharing and self-service." 

These developments represent a turning point in comparison to the above-mentioned 
nationalist approach.” Although the EU system still acknowledges the existence of na- 
tional borders and maintains the rhetoric of borders as filters against external threats, it 
introduces a key novelty, namely the distinction between internal and external borders. 
Whereas for the former, the controls are in principle lifted, i.e. these borders may be cros- 
sed at any point without a border check on persons - irrespective of their nationality 
- being carried out,” for the latter, controls are in place and — what is perhaps more im- 
portant - a common policy is established.” 
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This distinction affects also the perception that individuals have about borders and the 
EU as a whole. From the insider’s perspective, the EU may appear open and hospitable, 
whereas for the rest of the world, it may appear more closed, secure and less permissive. 
Internal borders are deemed rather inclusive and less visible, while external borders are 
perceived as exclusive and restrictive, since security and border traffic control are trans- 
ferred thereto." 


7.3 Legal and regulatory instruments governing border 
management in the EU 


Nowadays, border management in the EU is governed by a patchwork of legal and other- 
wise regulatory instruments, encompassing European primary law sources, namely the 
Treaties (Treaty on the European Union (TEU) and Treaty on the Functioning of the Eu- 
ropean Union (TFEU)), and the Charter on Fundamental Rights of the European Union 
(CFR). While Article 3(2) TEU states the essence thereof - namely that the “Union shall 
offer its citizens an area of freedom, security and justice without internal frontiers, in 
which the free movement of persons is ensured in conjunction with appropriate measures 
with respect to external border controls, asylum, immigration and the prevention and 
combating of crime’, Title V TFEU on the Area of Freedom Security and Justice further 
specifies a common policy on asylum, immigration and external border control, all of 
which must conform to the CFR; when implementing EU law, Member States are also 
bound by the Charter. 

Secondary law sources, such as regulations, directives and (implementing) decisions, 
also play a role in framing EU border management policy. This includes, first and fore- 
most, a legal statute for each border management tool, ranging from Schengen through 
large-scale databases and their interoperability, the Passenger Name Record (PNR) Direc- 
tives, the Advanced Passenger Information (API) Directive, the European Border Surveil- 
lance System (Eurosur), the rules governing the European bodies and agencies, the rules 
governing border control of persons crossing the external borders of the Member States 
of the Union (contained in the Schengen Borders Code (SBC)), to identity cards and pas- 
sports, unmanned air vehicles, dual-use, etc. 

In addition to EU law, Member States are bound by public international law instru- 
ments, e.g. bilateral agreements, treaties and conventions, such as the 1950 European 
Convention on Human Rights, the 1951 Geneva Convention, and the 1967 Protocol Rela- 
ting to the Status of Refugees. National laws play a role insofar as certain matters, directly 
or indirectly linked to border management, such as intelligence, military and internal se- 
curity, are the exclusive competence of Member States 

Eventually, soft law instruments, such as internal policies and practices of border autho- 
rities and memoranda of understanding concluded between border control authorities of 
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neighbouring countries, also come into play in the formation of policy. Finally, a number 
of technical standards fixed for biometric data contained in passports (International Civil 
Aviation Organisation (ICAO), National Institute of Standards and Technology (NIST)) 
set certain limitations on the implementation of border management policy. 


7.4 Actors involved in border management in the EU 


Over recent decades, border management has come to no longer be a prerogative of state 
actors alone. The actors currently involved, directly or indirectly, in border management 
activities can be grouped into three main categories, namely national state actors, supra- 
national state actors (in this context, the EU and its institutions, bodies, offices and agen- 
cies) and private actors. 

National state actors include the border control authorities entrusted with the actual 
performance of border checks and border surveillance under national and/or EU law, na- 
tional law enforcement agencies, insofar as they are assigned border management-related 
tasks, Passenger Information Units (PIUs) established under the Passenger Name Records 
(PNR) Directive, and national Data Protection Authorities (DPAs), to the extent that they 
oversee how nationally competent authorities use EU large-scale databases. 

Amongst supranational state actors, apart from the Commission, the European Parlia- 
ment and the Council, several EU bodies and agencies have been set up and tasked with 
border management tasks. The European Border and Coast Guard Agency (commonly 
known as Frontex)“ , together with Member States responsible authorities, oversees the 
effective implementation of integrated border management at the external borders of the 
EU. The European Union Agency for the Operational Management of Large-Scale IT Sys- 
tems in the Area of Freedom, Security and Justice (eu-LISA) is in charge of the operational 
management of the SIS, VIS and Eurodac, and of the preparation, development and ope- 
rational management of EES, ETIAS and ECRIS-TCN.® The European Data Protection 
Supervisor (EDPS) has responsibility for supervising personal data processing in the cen- 
tral units of the databases hosted by eu-LISA (the EDPS and national DPAs form together 
the Supervision Coordination Groups (SCGs)).® The European Asylum Support Office 
(EASO) contributes to the development of the Common European Asylum System by fa- 
cilitating, coordinating and strengthening practical cooperation among Member States on 
the many aspects of asylum.” Finally, the European Union Agency for Law Enforcement 
Cooperation (Europol) will, under certain conditions (e.g. when necessary to fulfil its 
mandate), have access to the SIS, VIS, Eurodac, EES, ETIAS and ECRIS-TCN.® 

Private actors include carriers and those private entities that, due to the progressive pri- 
vatisation of border control, have been tasked with specific border management-related 
tasks such as sharing passenger-related information with border control authorities or den- 
ying boarding.® A key group of private actors not mentioned in the legal and otherwise re- 
gulatory framework, but that in practice influence border management, are the technology 
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providers themselves.” When public authorities lack the technical capacity for deploying 
and understanding border control technologies, they may rely, sometimes to a high degree, 
on technology developers. This has a tendency to enable these private actors to influence the 
border control agenda and to shape priorities regarding the technologies to be deployed.” 


7.5 Legal requirements enshrining data protection, 
privacy and ethics in EU border management law 


7.5.1 An introduction to the built-in safeguards system of EU border 
management law 


Given the EU’s commitment to democracy, the rule of law and fundamental rights, border 
management law in the EU contains built-in safeguards that protect these values, and in 
particular data protection, privacy and ethics. Therefore, for the purposes of the process of 
integrated impact assessment of border control technologies, these requirements enshri- 
ning data protection, privacy and ethics have to be evaluated by means of a legal compli- 
ance check on the envisaged technology. The adherence to these requirements is further 
expected to enhance the social acceptance of the technology under assessment. 

It should be noted that the sole legal compliance check against data protection, priva- 
cy and ethics requirements does not necessarily grant that a border control technology 
is socially acceptable and respects democracy, the rule of law and fundamental rights. 
Indeed, as mentioned above, border management laws (and policies) may embed xenop- 
hobic and racially discriminatory ideologies. In democratic systems, many safeguards are 
arguably in place to avoid this happening. For instance, at a procedural level, part of the 
EU framework governing border management (e.g. regulations, directives) is the outco- 
me of the ordinary legislative procedure,” where the European Parliament is co-legislator 
with the Council. Yet, this does not automatically ensure the adherence of these laws to 
superior sources (e.g. Charter of Fundamental Rights of the European Union). The EU 
legal framework can be challenged in front of the Court of Justice of the European Uni- 
on and invalidated. In other words, procedural democracy does not necessarily coincide 
with substantive democracy, which functions with the actual interest of those governed.” 
Furthermore, when legislation is adopted specifically to confront emergency situations, 
using an intergovernmental method,” or has (apparently) more technical content (e.g. 
EU implementing and delegated acts), the democratic scrutiny is lessened.” Similar con- 
siderations are valid, mutatis mutandis, for national laws governing border management. 

Each type of technology to be implemented corresponds to an applicable legal frame- 
work. For example, when border control technologies are used to perform border checks, 
they may be connected to EU large-scale databases, meaning that rules on EU large-scale 
databases and the Schengen Borders Code are applicable, and compliance requirements 
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must be extrapolated therefrom. Conversely, when border control technologies are aimed 
at performing border surveillance activities, other rules (Eurosur) may be relevant. (An 
inventory of the EU legal framework potentially applicable to border control technologies, 
grouped into macro-topics, is provided in Annex IV of this textbook.) 

As a general rule, the legal framework applicable to border control technologies, and 
particularly in regard to the exchange of information in border management activities (e.g. 
EU large-scale databases, interoperability regulations), is governed by its own data protec- 
tion rules (lex specialis). Matters that are not expressly regulated in the framework are re- 
ferred mainly to the General Data Protection Regulation (GDPR) (lex generalis), unless the 
purpose is “the prevention, detection or investigation of terrorist offences or other serious 
criminal offences’, meaning that the Law Enforcement Directive (LED) is applicable.” 

For the European institutions, bodies and agencies involved in border management, 
the lex generalis is Regulation (EU) 2018/1725 on the protection of natural persons with 
regard to the processing of personal data by the Union institutions, bodies, offices and 
agencies and on the free movement of such data (EUDPR). Chapter IX EUDPR regulates 
the processing of operational personal data by Union bodies, offices and agencies when 
carrying out activities falling within the scope of judicial cooperation in criminal matters 
and police cooperation. Certain regulations establishing EU bodies and agencies contain 
their own data protection rules that constitute lex specialis in relation to the EUDPR (for 
Frontex, this is, for example, Chapter IV, Section 2 Frontex Regulation). Europol is an ex- 
ception to this, due to the fact that, at present, it has its own data protection rules. 

More specifically, border management law establishes some special rules, especially in 
relation to data subjects’ rights, data transfers, accessibility of personal data and accuracy 
of biometric data, that specify the lex generalis. In addition, border management law gives 
substance and further specifies certain concepts contained in the GDPR (e.g. allocation 
of roles of controllers and processors). Regarding other obligations (e.g. the need to ap- 
point a data protection officer (DPO), the requirement for the data controller to perform 
a DPIA), border management authorities and EU bodies and agencies involved in border 
management are still bound by the GDPR, the LED and/or the EUDPR. 


7.5.2 Summary of the data protection, privacy and ethics requirements 
of the EU border control system 


7.5.2.1 Data Protection Requirements 

The following is a cursory overview of the specific regulatory measures current assured 

by multiple components of EU border management law. This Section needs to be read in 

conjunction with Chapter 4 on personal data protection, where the concepts under the lex 

generalis are presented. 

1. Roles of controllers and processors. The responsibilities of controllers and processors 
are allocated in accordance with the law. 
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In some cases, border management law expressly allocates the roles of controllers and 
processors in the entities involved in data processing operations.” The distinction 
is important because data controllers have broader obligations than data processors 
(e.g. performance of a DPIA).” 
Lawful processing. A legal basis grounds the personal data processing performed by 
the border control technology. 
Border management law may lay down the basis for certain processing operations 
(e.g. expressly require border control authorities to carry out certain data processing 
operations), or clarify the legal basis to be used in certain processing (e.g. consent).” 
Purpose limitation. Data processed by a border control technology are processed for 
specified, explicit and legitimate purposes, in line with those specified in the relevant 
legal and regulatory framework applicable to it. 
Border management law lists the purposes for which a border control activity is carried 
out and personal data are to be processed (e.g. each EU large-scale IT system has own pur- 
poses, whereas the PNR and API directives specify why PNR and API are processed).* 
Therefore, when a border control technology processes personal data, the purposes of 
processing need to be in-line with those specified in the legal framework applicable to it. 
Data minimisation. 
4.1. The border control technology processes only the personal data that are adequate, 
relevant and not excessive for the specific border control activity. 
In the context of border management, not all the activities performed by bor- 
der control authorities require personal data processing. Border management 
law clarifies that, whereas personal data processing is a core function for border 
checks,*! it is conversely exceptional for border surveillance.” 
4.2. The border control technology ensures that only certain categories of personal data 
are processed. 
While a border control technology may have the technical capacity to process mul- 
tiple categories of personal data, not all of them are necessary for performing a bor- 
der management activity. For example, border management law provides a closed 
list of the categories of personal data that can be stored/processed in EU large-scale 
databases,* or collected and transferred by (air) carriers.** 
Accuracy. Mechanisms are in place to ensure that data processed by a border control 
technology are accurate and up-to-date, and that any change in the data is promptly 
communicated to those (authorities) concerned. 
Keeping data accurate and up-to-date in the context of border management is of ut- 
most importance to effectively take action against those individuals that represent 
a threat to security and to prevent unjust decisions against bona fide individuals.® 
Accordingly, border management law requires border control authorities to set up 
mechanisms to ensure that inaccurate or outdated information stored in a database is 
erased or updated within a specific period of time, and that the changes are commu- 
nicated to those (authorities) concerned.* 
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6. Accuracy for biometric data. The border control technology complies with minimum 

data quality standards for biometric data. 
Border management law adopts a (partially) different approach compared to the lex 
generalis on biometric data. Whereas under the lex generalis the processing of biome- 
tric data is in principle prohibited, it is conversely the core of the functioning of EU 
large-scale IT systems and portrayed as a more secure, efficient and reliable solution 
for identification and verification of the identity of individuals.” However, for relia- 
ble identification and verification of identities, the accuracy of biometric data is of 
pivotal importance. For this reason, border management law expressly sets standards 
for the accuracy of biometric data that border control technologies must comply 
with. 29 

7. Storage limitation. 

7.1. The border control technology ensures that data are automatically deleted once 
the retention period elapses. 
Border management law expressly defines the data retention period for the infor- 
mation stored in EU large-scale databases and of the personal data processed by 
Frontex. As a further safeguard for the data subjects, it requires that, once the data 
retention period elapses, data are automatically deleted.” 

7.2. The border control technology ensures that log data are deleted once the retenti- 
on period elapses. 
Border management law specifies the retention period for logs in relation to both 
EU large-scale databases and their interoperability. However, since logs are kept 
for accountability purposes (see infra), their deletion is not automatic.” 
8. Data security (availability, integrity & confidentiality). The organisation adopts tech- 
nical and organisational measures to ensure the security of the data processed by the 
border control technology. 
Border management law expressly introduces certain technical and organisational 
measures that that need to be complied with to ensure, to the greatest extent possible, 
the security and availability of EU large-scale databases. Such organisational measu- 
res include the establishment of a security plan, a business continuity plan and a disas- 
ter recovery plan, as well as fall-back procedures.” The technical measures include the 
encryption of the communication infrastructure connecting national interfaces and 
central systems, and measures ensuring the technical compatibility between national 
interfaces and central systems for the transmission of data.” 
9. Accountability. The border control authority has accountability measures in place. 
Border management law provides for a series of accountability measures that include: 
e maintenance of logs/records of processing activities (which are also made available 
to supervisory authorities); 

e staff training on data protection and rules and procedures of processing;”! 

e ` self-monitoring of the national and EU authorities dealing with EU large-scale 
databases;”° 
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e requirements that that persons working with EU-large scale databases are bound 
by professional secrecy or equivalent; 

e requirements as to what documentation (e.g. records of data subjects’ requests, 
inventories of technical copies of databases, reports of security incidents)” is 
made available to supervisory authorities. 

Data subjects’ rights. Data subjects are granted the possibility to exercise their rights. 
Data subjects’ rights have been developed with the aim of mitigating the power imba- 
lances between data controllers and data subjects, to enhance the control of the latter 
over their personal information.” In law enforcement and security-related contexts, 
they are more limited in scope but still need to be granted.” Similarly, border manage- 
ment law poses some limitations, but still ensures that data subjects enjoy the rights 
to: 

e  information;!” 

e access (also indirect via a DPA);!” 

e  rectification;! 

e — erasure;!° 

e restriction of processing (for EES, ETIAS, ECRIS-TCN, MID); 

e toa certain extent, not to be subject to a decision based solely on automated pro- 
cessing that significantly affects hem. D 

Border control authorities need to keep track of data subjects’ requests, reply to them 
within the deadlines specified in the legal framework applicable to them and, in the event 
that they are unable to comply with the request, inform data subjects of the reasons for 
refusal and of their right to lodge a complaint with a DPA. Together with eu-LISA, they 
are liable for damages suffered by individuals resulting from unlawful data processing.” 
Data transfers. Transfers to third countries and/or international organisations of data 
collected by the border control technology is either not allowed or restricted to very 
specific cases. 
Border management law adopts a special approach towards data transfer compared to 
the lex generalis. Data transfers to third countries are forbidden or limited to very spe- 
cific cases. This is due to the fact that the sharing of personal data with third countries 
could be particularly dangerous for those seeking international protection.'® Restric- 
tions are also in place regarding transfers to international organisations and private 
entities.” 

Accessibility of personal data. 

12.1. Only specific staff members of pre-defined national competent authorities have 
access to data processed by the border control technology. 

12.2. Only specific staff members of pre-defined EU agencies have access to data pro- 
cessed by the border control technology insofar as it is necessary for fulfilling 
their mandate or performing their tasks. 

Preventing unlawful access in the context of border management is a pressing 
issue considering the possibilities of function creep brought about by the inter- 
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operability of EU large-scale databases.’ This is why border management law 
ensures, on the one hand, that only specific staff members of pre-defined nati- 
onal competent authorities have access to data processed by the border control 
technology,’ and, on the other, that only specific staff members of pre-defined 
EU agencies have access to data processed by the border control technology 
insofar as it is necessary to fulfil their mandate or perform their tasks.'" 


7.5.2.2 Privacy and ethics requirements 
Border management law sets out provisions neither on ethics nor the protection of privacy 
or private life are scarce. 


It should be noted that privacy and ethics requirements are inferred from the broader 


requirement to ensure, in the course of border management activities, the protection of 
fundamental rights. As mentioned above, ethics (and privacy) requirements still remain 
legal requirements. Yet, ethics requirements have been defined in this way because com- 
pliance with them might be requested by ethics committees or similar expert bodies. 


Privacy Requirements 


l. 


Respect of one’s private life. The border control technology ensures that the processing 
of personal data respects one’s private life. 

Border management law requires that the processing of personal data respects one’s 
private life." 

Respect of (body) integrity. The border control technology ensures that the processing 
of personal data respects the (body) integrity of individuals. 

Border management law requires that processing of personal data respects the (body) 
integrity of individuals." 

Privacy by design. Privacy considerations have been embedded in the border control 
technology for its entire lifecycle. 

Border management law requires that data privacy considerations are embedded in 
the border control technology for its entire lifecycle.'* This requirement derives from 
the need for eu-LISA to follow the principles of privacy by design and by default 
throughout the entire lifecycle of the development of the EES. 

Privacy by default. The default settings of the border control technology are the most 
privacy-friendly possible. 

Border management law requires that the default settings of the border control tech- 
nology are the most privacy-friendly possible (H This requirement derives from the 
need for eu-LISA to follow the principles of privacy by design and by default throug- 
hout the entire lifecycle of the development of the EES. 


Ethics requirements 


l. 


Informed consent. 
1.1. The public is informed about the existence of the border crossing point" 


1.2. The public is informed of the temporary reintroduction of border controls.'° 
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2. Freedom of choice. 
2.1. Persons may opt to not use a border control technology (e.g. e-gate)."”” 
2.2. Persons who opt to not use a border control technology (e.g. e-gate) are not dis- 
criminated against for their choice.'"* 
3. Dual-use. 
Border management law sets restrictions on dual-use border control technologies 
(e.g. limitations to their export, transit and brokering).' 
4. Fairness. 
The use of the border control technology is fair towards third-country nationals. This 
requirement derives from the need of EU policies to be fair towards third-country 
nationals. ° 
5. Human dignity. 
5.1. The use of the border control technology does not result in inhuman or degra- 
ding treatment. This requirement derives from the need for border control to not 
result in inhuman or degrading treatment. "7 
5.2. Fingerprinting is in accordance with safeguards in the CFR.'” 
6. Non-discrimination and bias. 
The processing of personal data shall not result in discrimination against persons on 
any grounds.” 
7. Rights of elderly and people with disabilities. 
Border control technologies are designed to be used by all persons, except for children 
under 12 years of age.” 
8. Rights of children. 
8.1. Children under a certain age are exempted from providing fingerprints.” 
8.2. Border control alerts regarding children are admissible only in restricted cases, 
and with the aim of safeguarding the best interests of the child 
8.3. Alerts concerning children are deleted when the child reaches the age of majority.!”” 
8.4. Queries in the CIR against minors of 12 years of age are forbidden unless in the 
best interests of the child 7 
9. Vulnerable persons. 
9.1. Alerts concerning vulnerable persons are admissible only in restricted cases.’”” 
9.2. Alerts concerning vulnerable persons are deleted in certain circumstances.'”° 
9.3. Border guards have received specialised training for detecting and dealing with 
situations involving vulnerable persons." 
10. Non-refoulement and right to asylum. 
10.1. Regardless of the use of a border control technology, individuals are not subject 
to refoulement and have the possibility to request asylum. "°? 
10.2. Particular attention is to be paid to the rights of people in need of international 
protection.’ 
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gulation, Article 5 ECRIS-TCN Regulation for the CIR; confirmation files for the MID (Arti- 
cle 25 Interoperability Regulations 817 and 818). Note also that the definition of biometric data 
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law. The latter is more restricted, as biometric data encompasses only fingerprints, palmprints, 
facial images and DNA profiles and not, for example, behavioural characteristics. 
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See, for example, Article 44 SIS Regulation 1861 and Article 59 SIS Regulation 1862, Arti- 
cles 24 and 38 VIS Regulation, Article 27 Eurodac Regulation, Article 35 EES Regulation, 
Article 55 ETIAS Regulation, Article 9 ECRIS-TCN Regulation, Articles 32 and 33 Inter- 
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tal 19 Eurodac Regulation, Article 38 EES Regulation, Articles 75, 76, 77 ETIAS Regulation, 
Articles 12, 13 ECRIS-TCN Regulation. 
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the EDPS in relation to central system. Article 34 Eurodac Regulation requires Member States 
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See, for example, Article 52 SIS Regulation 1861, Article 37 VIS Regulation, Article 47 Inter- 
operability Regulation 817 (for VIS, EES, ETIAS, shared BMS, CIR, MID); Article 29 Euro- 
dac Regulation; Article 64 ETIAS Regulation. Note however that certain authors expressed 
concerns about the effectiveness of the legal framework at ensuring the exercise of the data 
subjects' rights, depending, inter alia, on its fragmented and complex nature. Diana Dimitro- 
va, “Surveillance at the Borders: travellers and their data protection rights” in Handbook on 
Data Protection and Privacy, eds. Paul De Hert, Rosamunde van Brakel, and Gloria Gonzalez 
Fuster (Edward Elgar, forthcoming). 

See, for example, Article 53 SIS Regulation 1861 and Article 67 SIS Regulation 1862, Arti- 
cle 38 VIS, Article 29 Eurodac Regulation, Article 52 EES Regulation, Article 64 ETIAS Re- 
gulation, Article 25 ECRIS-TCN Regulation, Article 48 and 49 Interoperability Regulations. 
Ibid. 

Ibid. 

For example, data subjects have the right to request human intervention when using the 
border control technology (Article 15 SBC); when an automated processing leads to a hit 
in ETIAS system, the application shall be processed manually by the ETIAS National Unit 
of the Member State responsible (human in the loop) (Article 26 ETIAS Regulation); when 
different identities are detected, manual verification is ensured (Article 29 Interoperability 
Regulations 817 and 818). 

See, for example, Article 58 SIS Regulation 1861 and 72 SIS Regulation 1862, Article 33 VIS 
Regulation, Article 37 Eurodac Regulation, Article 45 EES Regulation, Article 63 ETIAS Regu- 
lation, Article 20 ECRIS-TCN Regulation, Article 46 Interoperability Regulations 817 and 818. 
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European Union Agency for Fundamental Rights, Under Watchful Eyes: Biometrics, EU IT 
Systems and Fundamental Rights. 

See, for example, Article 50 SIS Regulation 1861, Article 31 VIS Regulation, Article 35 Euro- 
dac Regulation, Article 41 EES Regulation, Article 65 ETIAS Regulation, Article 18 ECRIS- 
TCN, Article 50 Interoperability Regulations 817 and 818, Article 89 Frontex Regulation. 
European Union Agency for Fundamental Rights. 

For the SIS, national competent authorities responsible for the identification of third-country 
nationals for the purposes listed in Article 34 SIS Regulation 1861; national competent autho- 
rities for the purposes listed in Art. 44 SIS Regulation 1862; national competent authorities 
responsible for naturalisation for examining an application of naturalisation (Article 34 SIS 
Regulation 1861 and Art. 44 SIS Regulation 1862); vehicle registration services, boat and air- 
craft registration services, firearms registration services as specified in Articles 45, 46 and 47 
Regulation 1862. Links between alerts do not affect the right to access (Article 48 SIS Regulati- 
on 1861). For the VIS, duly authorised staff of the visa authorities as specified in Article 6 VIS 
Regulation. For the Eurodac, for law enforcement purposes, as specified in Article 6 Eurodac 
Regulation. For the EES, duly authorised staff of the national authorities of each Member State 
as specified in Article 9 EES Regulation. For the ETIAS, duly authorised staff of the ETIAS 
Central Unit and of the ETIAS National Units as specified in Article 9 ETIAS Regulation. For 
the ECRIS-TCN, only duly authorised staff have access to the data for the performance of their 
tasks as specified in Article 13 ECRIS-TCN Regulation. For the ESP, see Article 7 Interopera- 
bility Regulations 817 and 818. For the CIR, see Articles 18 and 20 Interoperability Regulati- 
ons 817 and 818. For the MID, see Article 26 Interoperability Regulations 817 and 818. Note 
however that certain authors criticised the rules on the functionality of the MID, considered 
ambiguous, inter alia, in relation to the access of the SIRENE Bureaux to the links. Diana Di- 
mitrova and Teresa Quintel, “Technological Experimentation Without Adequate Safeguards? 
Interoperable EU Databases and Access to the Multiple Identity Detector by SIRENE Bureaux.” 
For access by Europol to the SIS, see Article 35 Regulations 1861 and Article 48 SIS Regula- 
tion 1862; to the VIS, see Article 3 VIS Regulation; to the Eurodac, see Article 21 Eurodac 
Regulation; to the EES, see Article 33 EES Regulation; to the ETIAS, see Article 53 ETIAS 
Regulation; to the ECRIS-TCN, see Article 14 ECRIS-TCN Regulation; to the ESP, see Arti- 
cle 7 Interoperability Regulations 817 and 818; to the CIR, see Article 17 Interoperability Re- 
gulations 817 and 818. For access by Eurojust to the SIS, see Article 49 SIS Regulation 1862; 
to the ECRIS-TCN, see Article 14 ECRIS-TCN Regulation. For access by Frontex to the SIS, 
see Article 36 Regulations 1861 and Article 50 SIS Regulation 1862. 

See, for example, Article 5 Interoperability Regulations 817 and 818, Article 14 ETIAS Regu- 
lation, Recital 13 Eurodac Regulation. 

See, for example, Article 5 Interoperability Regulations 817 and 818, Article 14 ETIAS Regu- 
lation. 

See, for example, Article 37 EES Regulation. 

Ibid. 

See, for example, Article 5 SBC. 

See, for example, Article 34 SBC. 

See, for example, Articles 8a and 8b SBC. 

Ibid. 

See Regulation (EC) No. 428/2009 of 5 May 2009 setting up a Community regime for the 
control of exports, transfer, brokering and transit of dual-use items (Dual-use Regulation). 
See, for example, Article 67 TFEU. 

See, for example, Article 8c SBC, Article 5 Interoperability Regulations 817 and 818, Article 14 
ETIAS Regulation. 

See, for example, Article 3 Eurodac Regulation. 
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See, for example, Article 7 SBC, Article 14 ETIAS Regulation, Article 5 Interoperability Regu- 
lations 817 and 818. 

See, for example, Article 8c SBC. 

See, for example, Article 17 EES Regulation, Article 9 Eurodac Regulation. 
See, for example, Articles 32 and 55 SIS Regulation 1862. 

Ibid. 

See, for example, Article 20 Interoperability Regulation 818. 

See, for example, Article 32 SIS Regulation 1862. 

See, for example, Article 55 SIS Regulation 1862. 

See, for example, Article 16 SBC. 

See, for example, Article 4 SBC. 

See, for example, Article 5 Interoperability Regulations 817 and 818. 
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Introduction 


The purpose of this Chapter is to provide sufficiently detailed explanations to enable the 
completion of the Template for reporting the integrated impact assessment process (An- 
nex 1). The assessors consult this Chapter’s instructions in conjunction with Annex 1, 
whose structure firmly corresponds to the structure herein. 

The Template for reporting the integrated impact assessment process in Annex 1 is 
organised into tables and matrices. Following the 11-step method, consecutive steps are 
marked in brown and the ongoing steps in orange, as presented in the diagram below. The 
assessors are to fill in only the fields coloured in light brown or light orange. A field for 
any further remarks or comments, if necessary, is provided at the end of each step. The 
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assessors fill in, in an easily understandable language, the empty rows in the tables and/or 
other fields assigned to each step. To the greatest extent possible, each answer is exhaustive 
and sufficiently motivated (described, explained, justified, etc.), as is equally the case for 
the criteria/explanations ‘fulfilled’ and ‘not fulfilled’ Further rows can be added in each 
table, should there be a need, or, should the space be insufficient, each element can be 
moved to attachments. Alternatively, any of the tables and/or fields may be removed, and 
the same information presented in some other format if the assessors deem it appropriate. 
Provision of an explanation is required whether the box is ticket or not. After the receipt of 
the filled-in report, the sponsoring organisation, in turn, fills in the light green fields only, 
facilitating the final decision (of whether or not to proceed with the envisaged initiative). 

The Template assumes the team of assessors is familiar with the legal framework for 
personal data protection and privacy in the European Union, as well as the principles of 
ethics and social acceptance. (References to legal provisions without any further specifi- 
cation pertain to the General Data Protection Regulation [GDPR].) It also assumes mini- 
mum familiarity with the process of risk appraisal and with the criteria limiting the enjoy- 
ment of human rights, in particular those of necessity and proportionality. Furthermore, it 
is expected that all relevant stakeholders, be they the data controller(s), the data protecti- 
on officer (DPO), the pertinent EU agencies and border control authorities, among others, 
are involved in the entirety of the assessment process. As the assessment process concerns 
an as-yet-unimplemented initiative, the assessors may have to rely on estimations and, at 
times, incomplete information. 
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PHASE I: PREPARATION OF THE ASSESSMENT 
PROCESS 


Step 1: Screening (threshold analysis) 


The goal of this Step is to determine if the impact assessment process is required in the first place. Con- 


ducting the impact assessment process is necessary when one or more criteria set forth by law (for data 

protection and privacy) or by other principles (ethics and social acceptance) are met, or, alternatively, it 
is not required when a pertinent exemption is provided. This is preceded by the preliminary description 
of the initiative, which provides a contextual and a technical overview thereof. 


Step 1a: Preliminary description 

In this part, the assessors briefly expose the most critical aspects of the envisaged initiative, 
answering questions about the context and technical aspects thereof. The overview is qua- 
dripartite, comprising the assessment benchmark, namely: i) the right to data protection; 
ii) the right to privacy; iii) ethics; and iv) social acceptance. Although little information is 
usually available at the early stages, the preliminary description is kept short (approx. one 
page), while still being sufficiently detailed to allow the assessors to determine whether or 
not the threshold criteria are satisfied. General statements are avoided. If, in Step 1b, it is 
determined that the assessment process is required, this preliminary description will be 
expanded in Step 4. 


Step 1b: Screening 

Step 1ba: Data protection: The assessors analyse whether the envisaged data processing 
operations satisfy any of the threshold criteria prescribed by law. As a prerequisite, the 
assessors determine if personal data would be processed within the envisaged initiative. 
The threshold criteria are based on the concept of risk, and are either positive or negative. 
The negative criteria take precedence over positive ones. If any of the positive criteria are 
satisfied, the assessment process for the right to personal data protection will then be re- 
quired by law. By contrast, if any of the negative criteria are satisfied, the data controller is 
exempted from conducting such an assessment process. 

Step 1bb: Ethics and social acceptance: The assessors determine whether the envisaged 
initiative raises any ethical or social acceptance challenges by answering a set of questi- 
ons. If any of them is answered affirmatively, the ethics assessment and social acceptance 
assessment are required. Conversely, if all are answered negatively, there is no need for 
an ethics and social acceptance assessment. The assessors proceed to this Step in order to 
complement the data protection element (Step 1b), when this is required. 

Step 1bc: Privacy: The assessors determine if the envisaged initiative interferes with any 
of the 9 dimensions of privacy, Le, bodily, spatial, communicational, proprietary, intellec- 
tual, decisional, associational, behavioural and informational privacy. If at least one type 
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of privacy is interfered with, then a privacy impact assessment is required. Conversely, if 
none is interfered with, there is no need for a privacy impact assessment. 

If no integrated impact assessment process is required or warranted, the assessors pre- 
pare a reasoned statement of no significant impact. 


Step 2: Scoping 


The goal of this Step is to identify, with a reasonable degree of precision: 
the benchmark of the integrated impact assessment, in which case, four elements are examined in parti- 
cular: i) the right to data protection; ii) the right to privacy; iii) ethics; and iv) social acceptance (Step 2a) 
the categories of stakeholders, that is, those to involve in the assessment process and how to involve 
them in each Step (Step 2b) 
appraisal techniques, other than the necessity and proportionality assessment, and risk assessment, 
to be used in the assessment process (Step 2c) 


other evaluation techniques that may be warranted or necessary (Step 2d). 


Step 2a: Benchmark 

Step 2aa: Data protection: The assessors first map the aspects that the envisaged data pro- 
cessing operations would touch upon by checking the applicable laws and regulations. 
The assessors list all legal (national, European, international) and regulatory instruments 
applicable to the initiative, including by-laws (e.g. policies, codes of conducts, technical 
standards) applicable within the organisation. This also constitutes the legal and regulato- 
ry framework for border management, from which compliance requirements are inferred 
and checked against in Step 5. 

Step 2ab: Ethics: The assessors identify the ethical arguments that are mobilised to sup- 
port or criticise the initiative in the public debate. Each set of arguments is assigned an 
ID that will be used in the subsequent phases of the assessment. This task requires that 
the assessors perform some preliminary desk research (if necessary, they can ask external 
researchers to provide support in this regard). The assessors fill in the relevant table in the 
template by ticking the arguments that apply to the initiative, with the help of the exam- 
ples provided and explained in Chapter 5. The assessors may add extra arguments through 
the addition of extra rows, as indicated in ‘1.x .. ‘2.x etc, 

Step 2ac: Social acceptance: The assessors identify three aspects: the perspective to as- 
sess social acceptance, the categories of stakeholders and the acceptance assessment tech- 
niques. Regarding the perspective of social acceptance, the assessors choose between (at 
least) one of the three levels indicated in Chapter 6 (i.e. socio-political, community or 
market perspective) and tick the chosen level. An assessment of all three perspectives is not 
required, yet, the focus must not be exclusively on the market perspective. The assessors 
identify a list of stakeholders that is specific for the social acceptance assessment. Stakehol- 


147 


Border Control and New Technologies 


ders are understood in the broadest sense, and their range and the number to be involved 
is commensurate to the processing operations. Stakeholders are not assessors; the former 
provide input, which the latter subsequently take into account or reject. This activity can be 
performed in parallel with the identification of stakeholders for the ‘stakeholder involve- 
ment phase’ (Step 2b), which will provide the assessors with a broader list to be consulted 
throughout the whole impact assessment process. The sample chosen, especially for tra- 
vellers, is to be as representative as possible. The assessors choose at least one technique of 
stakeholder involvement, without relying too heavily on questionnaires, especially if they 
are close-ended and require a quantitative analysis. Finally, the responses from the questi- 
onnaires can be made more robust by informing the respondents about the initiative under 
assessment with, for example, informational meetings or technology demonstrations. 
Step 2ad: Privacy: The assessors identify which types of privacy will form part of the 
benchmark, and justify why these identified types are interfered with. To do so, they will 
briefly describe the interference, the circumstances and the vulnerability that is produced 
due to the contact ofa natural person with a specific technology, using the same types of pri- 
vacy that they included in the previous step. Additionally, they will determine the appraisal 
techniques that they deem most pertinent (usually the privacy impact assessment) and the 
stakeholders, who may be the same as those involved in the data processing operations. 


Step 2b: Stakeholders and their consultation techniques 

In this step, the assessors identify the categories of stakeholders to be consulted throug- 
hout the impact assessment process, namely internal and external stakeholders. The list 
is broader than the one compiled for Step 2a (social acceptance scoping). Possible techni- 
ques to involve stakeholders are provided in Annex 2 of this Volume. Critical external sta- 
keholders in the context of border management law are EU agencies and bodies, carriers, 
Passenger Information Units (PIUs) and technology providers, among others. 


Step 2c: Appraisal techniques 

Six appraisal techniques are foreseen, corresponding to the quadripartite benchmark: (a) 
necessity and proportionality, and (b) risk assessment for data protection; ethics assessment 
for ethics; privacy impact assessment for privacy; social acceptance assessment for social 
acceptance; legal compliance check against data protection, privacy, ethics requirements, 
inferred from border management law as identified in Step 2a (the legal compliance check 
is expected to enhance social acceptance, too). Should these six appraisal techniques prove 
to render insufficient information for decision-making purposes, other appraisal techni- 
ques should be employed, as listed in Annex 3, e.g. scenario analysis (planning), technology 
foresight or cost-benefit analysis (CBA). 


Step 2d: Other evaluation techniques 


The assessors can resort to other evaluation techniques, which may be warranted or even 
required by law. For example, if the envisaged initiative also affects the natural and/or hu- 
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man environment, then a standalone process of environmental impact assessment (EIA) 
may be needed alongside the integrated impact assessment process. 

In addition, for the reasons of comprehensiveness and efficiency, various types of impact 
assessment and other evaluation techniques can be integrated, provided the benchmark 
and/or appraisal techniques are coherent, not subordinate to one another, and not internal- 
ly contradictory. Results of such an integrated assessment process must then be synthesised. 


Step 3: Planning and Preparation 


The goal of this Step is to set the terms of reference of a given impact assessment process, constituting 


a written manual therefor, which may possibly be updated throughout the assessment process. For 


all parts of the benchmark, the assessors can devise a common approach since the resources and the 
timeframes of each separate assessment should align with each other. 


Specific objectives of a given process: On the one hand, the substantive goal of an impact as- 
sessment process is to ensure informed decision-making by comprehensively examining the 
elements of the benchmark. On the other, its formal goal is to comply with the law and ethi- 
cal or social norms. The impact assessment process aims to ensure both goals are achieved 
by aiding the decision-making process as to the deployment of the initiative; however, the 
assessors may clarify in greater detail the specific objectives of a given assessment process. 

Acceptability criteria of negative impacts: The criteria are set and justified for each element 
of the benchmark and for each appraisal technique employed (cf. Step 2c). For instance, the 
element of data protection requires that the data controller set and justify a threshold below 
which a processing operation would be deemed unnecessary and/or disproportionate. Fu- 
rthermore, it requires that the controller set a threshold above which a risk to a right would 
no longer be deemed acceptable (e.g. risk-prone, or risk-adverse). The data controller defi- 
nes both the likelihood and severity scales beforehand. The same exercise can be repeated 
for each element of the benchmark, with respect to the nature and specificities of each. 
Jurisprudence in border control, relevant legislation and common practices are, among 
others, ideal sources for setting the acceptability criteria of negative impacts. 

Resources to be committed: The assessors list and ensure the resources which they need 
for conducting the impact assessment process, which include time, money, workforce, 
knowledge, know-how, premises and infrastructure. Assessors might resort to the help of 
software that facilitates the impact assessment process by automating parts thereof. Lastly, 
the choices of locations (e.g. a venue for a workshop or for a facility tour) or setup (e.g. of 
a technology demonstration) further contribute to the selection of resources. 

Procedures and timeframes: The assessors establish the timeframes for an impact assess- 
ment process, specifying, for example, milestones and deadlines, assigning responsibilities 
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and specifying who is answerable to whom within the organisational structure. For exam- 
ple, the ethics assessment is connected to the preparation of paperwork required in order 
to obtain the ethical approval and/or opinion from the relevant ethics committee or com- 
petent authority of the country hosting the study. The latter applies especially if (sensitive) 
personal data of people are processed during the assessment. 

Team of assessors, and their roles and responsibilities: The assessment process requires 
multiple types of expertise. The organisation responsible for the initiative chooses the as- 
sessors on the basis of transparent criteria, either internal or external (outsourced), spel- 
ling out their roles and responsibilities, and ensures their professional independence (e.g. 
assessors do not seek nor receive instructions; their bias is explicitly marked as such). 

Stakeholders: Based on the pre-defined categories in Step 2b, the assessors identify a list 
of stakeholders (e.g. a minimum number of people interviewed, number of participants 
in the workshop, etc.), taking into account and ensuring diversity (e.g. gender balance, 
geographic diversity, age diversity or multidisciplinarity). For large-scale consultations, a 
consultation plan may be necessary. Personal data of identified stakeholders is appropria- 
tely protected. The planning includes: 

e dates and timespan of the assessment (e.g. duration of interviews); 

e setup (e.g. of a technology demonstration); 

e questionnaire or interview design; 

e number and modality of stakeholders to involve (e.g. a minimum number of people 
interviewed, number of participants in the workshop, etc.). 


Continuity: The organisation specifies the continuity of the assessment process in the 
event of, for example, changes in the actors involved in the assessment process (e.g. as- 
sessors, data controller, data processors, etc.), or disruption, natural disasters, or utility 
failures. 

Revision: The organisation specifies the criteria that would trigger the revision of the 
impact assessment process. For instance, with regards to the data protection element, a 
change in the level of risk could be enough to trigger the revision of the whole process. 
The level of risk depends on the technological advancements, on the users’ perception 
of a technology, or on a landmark court decision that re-interprets a legal provision. The 
decision as to whether to revise the entire process or just a part of it is dependent on the 
degree to which the elements of the benchmark are intertwined with each other. 
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PHASE Il: ASSESSMENT 


Step 4: Systematic (detailed) description of the initiative 


The goal of this Step is, by expanding the preliminary description (cf. Step 1a), to systematically descri- 


be the envisaged initiative both contextually and technically. 


A long list of factors is to be taken into consideration in relation to the right to data protec- 
tion. As an illustration, contextual aspects include the nature, scope, internal and external 
context, and purposes of the envisaged processing operations and, when applicable, the 
legitimate interest pursued by the data controller. Technical aspects include diagrams of 
data flows and/or other visualisations, which might be appended. Such a description can 
also be based on the records of processing operations. Continuing the systematic descrip- 
tion with regards to the right to privacy, the assessors identify, for example, the actors and 
parties involved in the initiative, the scope of the right based on the nine aforementioned 
types of privacy, and the level and nature of intrusiveness, among others. Lastly, a detailed 
description relevant to the ethics and social acceptance of the initiative may involve a de- 
scription of the broader ethical and societal impact of the initiative, beyond those of the 
right to privacy and data protection. 

The critical difference in the systematic description, compared to the preliminary one, 
is that it must expand the latter (cf. Step 1a), and hence needs to be much lengthier and 
more comprehensive. It shall be sufficiently complete, accurate and reliable so as to con- 
stitute the basis for the analysis and assessment of impacts in Step 5. 


Step 5: Appraisal of Impacts 


The goal of this Step is to analyse and assess the impacts of the envisaged initiative, appraised in accor- 
dance with the pre-selected techniques. These impacts pertain to the societal concern(s) that might be 
touched on by the planned initiative, and to the positioning of the stakeholders, who might be external 


to the sponsoring organisation. Typically, the assessment consists of a detailed identification, analysis, 


and evaluation of the impacts. 


Step 5a: Data protection 

Step 5aa: Necessity and proportionality of the processing operations: The assessors use spe- 
cific appraisal techniques pre-defined in Step 2c and base their analysis on the results of 
Step 4. The assessors can use any of the numerous suitable methods made available thus 
far, or they can employ the one proposed in Annex 1. Contrary to methods for assessing 
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risk (e.g. international standards, such as ISO 31000:2018 or ISO 27005:2018), methods 

for assessing proportionality and necessity in the context of personal data protection are 

rather scarce. 

The assessment of necessity and proportionality can occur at two levels. First, each 
data processing operation is assessed against personal data protection principles (Level 1). 
These are: lawfulness, fairness and transparency, purpose limitation, data minimisation, 
accuracy, storage limitation, integrity, and confidentiality, including security of processing 
and data protection by design and by default. Each data processing operation is assessed in 
a specific table, with this table needing to be replicated for each data processing operation. 

Given the fact that a fundamental right is at stake and that an assessment process of the 
envisaged processing operations against solely personal data protection principles (Level 
1) might not always be sufficiently complete, to the detriment of the level of protection and 
the quality of the decision-making process it is intended to advise, the assessors may de- 
cide to expand their appraisal to the entirety of human rights limitation criteria (Level 2). 

As the right to personal data protection and many related fundamental rights are not 
absolute but rather relative ones (i.e. an interference with the right can only be justified 
under certain conditions), the following five limitation criteria derived from Article 52 of 
the CFR can be applied: 

e legality (i.e. if a basis for a data processing operation is ‘provided for by law of a suf- 
ficient quality, for example, clarity, accessibility, precision, foreseeability, conformity 
with the rule of law); 

e the respect for the essence of a right (i.e. if the interference with a fundamental right 
does not make it impossible to exercise a right); 

e legitimacy (ie. if a processing operation serves a given ‘general interest’ (cf. e.g. Ar- 
ticle 3 Treaty on European Union (TEU)) or ‘protect[s] the rights and freedoms of 
others’); 

e necessity (i.e. if a processing operation is ‘necessary and [if it] genuinely meet|s]’ le- 
gitimate objectives); and 

e proportionality sensu stricto (e.g. balancing) (i.e. if the least intrusive option has been 
chosen). 


Step 5ab: Risk to the rights and freedoms of natural persons: On the grounds of data pro- 
tection law, risk is understood as a negative consequence arising from processing opera- 
tions that might or might not occur in the future. Such a consequence, if it materialised, 
would give rise to physical, material or non-material damage for natural persons (largely, 
data subjects) and not solely for the data controllers or data processors. Risk assessment 
is meant to be as objective as possible; this is, however, not always achievable in practice, 
due to ambiguities about assignable likelihoods and possible types of damage, and the 
subjectivity of perceptions of risk by stakeholders. 

Risk is typically assessed by combining two measurements, namely its likelihood or 
probability (i.e. chance of happening) and its severity (i.e. magnitude of consequences). 
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Risk can be assessed qualitatively, quantitatively or through a combination of both. There 
are aspects of personal data protection that fit into the former (i.e. risk to rights and free- 
doms) and the latter (e.g. data security). Quantitative risk assessment measures the proba- 
bility of occurrence of a risk and combines this with its severity. Probability is expressed 
on a scale ranging from 0 to 1. In turn, qualitative risk assessment instead uses levels of li- 
kelihood (e.g. a quadripartite descriptive scale of negligible, low, medium, and high) to be 
combined with its severity. Eventually, severity of a risk indicates a magnitude of damage 
should a risk materialise. It can be equally expressed on a quadripartite descriptive scale. 
Both scales — likelihood and severity — are predefined and justified in Step 3b. A typical 
method for risk assessment requires, first, the identification of a risk. In the second step, 
the risk is analysed, for example by multiplying the likelihood (probability) of its occur- 
rence by the severity of its consequences. In the third step, the risk is evaluated, in order to 
determine whether the risk and its level are acceptable, if any mitigation measure is to be 
recommended, and if any risk(s) should be prioritised. 


Step 5b: Ethics 

Analysis: The assessors analyse the recurrent arguments in the debate with specific refe- 

rence to the technology under assessment, by answering the guiding questions with elabo- 

rated open answers. Along with the preliminary examples provided under the respective 
column, the assessors shall look into arguments: 

e Appearing in newspapers, policy discourses, academic literature on the initiative (or 
similar initiatives), and/or 

e Used by the company that produces the technology (or similar technologies), and/or 

e Used by civil society organisations (e.g. activists, human rights NGOs). 

e The assessors adapt each generic argument to the context of the assessment and inclu- 
de any relevant variations of the argument under the column ‘explanation. For every 
explanation, the assessors refer to the specific ID assigned in Step 2a. The assessors 
complete only the parts (IDs) that were ticked in Step 2a. 


Assessment: The assessors determine whether the arguments identified and analysed in the 
analysis are sound or inconsistent. It is not necessary to complete both sub-columns under 
‘assessment; but at least one of them must be completed. Under the column ‘assessment, 
the assessors might indicate: 

e Whether there is any conflict between the arguments identified. For example, whether 
one argument contradicts another, or whether one argument is usually preferred over 
another (e.g. consequentialist arguments preferred to deontological or distributive 
justice ones). To indicate the conflicts, the assessors should use the ID numbers assig- 
ned in the previous phases. 

e Whether there can be counter-arguments or fallacies to the arguments identified. The 
assessors use Section 5.2.3 as a guide, where for each argument possible criticisms or 
a list of fallacies are provided. 
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Step 5c: Social acceptance 

Analysis: After having executed one or more social acceptance assessment techniques 
identified in Step 3, the assessors analyse the data collected during the previous phase, for 
example, if the chosen technique is a questionnaire, the assessors collect a number of com- 
pleted questionnaires, be these in person or online. If the technique chosen is a workshop, 
participants are invited, the event is held, and minutes and/or are taken by the assessors 
during the event. If the technique is an interview or an observation, the assessors/inter- 
viewers take field notes and/or recordings of the discussion, and so on. which are reported 
again in the first column and ascribed an ID number. The ‘type of analysis’ can be qualita- 
tive or quantitative, or a mixture of the two, depending on the types of technique chosen. 
Answers obtained through close-ended questions (with scales or multiple choices) can be 
analysed quantitatively, using, for example, pie charts or percentages. Answers to open- 
ended questions involve qualitative analysis (discussion and critical analysis) without the 
use of digits and calculations. 

The assessors find patterns and report a summary of findings in the final column. The 
findings include results that are exceptional and stand out, whereby the analysis does not 
simply reveal data that confirm the assessors’ initial hypothesis. In the case of interviews 
and questionnaires, the assessors may find patterns in the replies to certain questions (e.g. 
some categories of travellers find the technology invasive, or the majority of interviewees 
find it convenient). 

Assessment: The assessors assess the data analysed in the previous phase. Depending 
on the results, they come up with a list of (envisaged) positive and negative consequences 
stemming from the initiative, and specify which stakeholders are affected, and the extent 
to which the initiative affects them positively or negatively, by listing their names in the 
appropriate column. 


Step 5d: Privacy 

An explanatory representation of the assessment of privacy is illustrated in an 8x7 matrix, 
where on the vertical axis the eight types of privacy are listed (excluding informational 
privacy, which is equalised to data protection), and on the horizontal axis are listed the 
human rights limitations criteria against which these are assessed. 

The assessors tick the appropriate box in the first column of the matrix (under: Appli- 
cability — ticking the box signifies that a certain type of privacy is assessed), and briefly 
describe the envisaged impact on each applicable type of privacy using factual and theore- 
tical substantiation. Following this, and only for the applicable types of privacy under as- 
sessment, the assessors analyse each interference against human rights limitation criteria 
(i.e. legality, essence, necessity, proportionality, legitimacy); these criteria were elaborated 
in Step 5aa (cf. supra). 
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Step 5e: Legal compliance check against border management law 

Analysis: The assessors evaluate whether or not the requirements listed in the table are 
applicable to the initiative under assessment; they may also include other requirements 
extracted from the legal framework applicable to the initiative, as identified in Step 2aa. 
An ID number (and sub-ID, when relevant) is assigned to each requirement. It is probable 
that not all requirements listed in the table (as extracted from the rules on EU large-scale 
databases, interoperability, Schengen Borders Code and Frontex Regulation) are appli- 
cable. Conversely, in cases where other rules are applicable (e.g. national laws), it may be 
necessary to complement the list with other requirements. 

Assessment: Only if a requirement is applicable do the assessors evaluate the compli- 
ance of the initiative with the said requirement. The result of the assessment is binary 
(ticking or not ticking the box) because an initiative is either compliant or non-compliant 
with the requirement. Partial compliance is to be considered as non-compliance. In both 
situations, they motivate their assessment by specifying, inter alia, the legal and regulatory 
provisions from which the requirements were extracted. Reference to the legal provisions 
can be found in Chapter 7, in particular Section 7.5 Legal Requirements enshrining data 
protection, privacy and ethics in EU border management law. 


Step 6: Recommendations 


The goal of this Step is to provide concrete, detailed measures (controls, safeguards, solutions, etc.), their 
addressees and their timeframes in order to minimise the negative impacts and, if possible, to maximise 
the positive ones. The assessors justify their distinction between ‘negative’ and ‘positive’ impacts since this 
distinction is contextual and subjective. The assessor takes stock of the measures already implemented. 


Particularly, in the process of this integrated impact assessment, recommendations for data protection 


are embedded in Step 5, while for the other elements of the benchmark, a separate Step is introduced 
(Step 6). This choice is warranted due to the level of granularity, which is formally required by law in the 
case of data protection. 


Data protection: By recommending possible mitigating measures, the assessors address 
the risks, and non-necessity and disproportionality of the processing operations in or- 
der to protect individuals and to demonstrate compliance with law. Assessors might also 
suggest measures to maximise positive impacts. They recommend and describe mitigati- 
on measures for each negative impact (risks, disproportionate and unnecessary interfe- 
rences) identified in Step 5. Each risk is mitigated by manipulating either its likelihood 
(probability) - by, for example, limiting the exposure to a risk - or its severity - by, again 
for example, preparing a response plan should the risk materialise — or both. Risks can be 
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avoided, mitigated, transferred (to another entity, e.g. outsourcing, insurance, etc., or in 
delayed in time) or accepted. Residual risks are those that remain if there is no measure 
available to mitigate them and trigger a prior consultation with a supervisory authori- 
ty (SA) (cf. Step 7). For both risk and non-necessity and disproportionality, mitigation 
measures can be of a regulatory (legal), technical, organisational or behavioural nature. 

Ethics: The assessors provide recommendations on the basis of the critical evaluation 
of the ethical arguments identified, either to suggest how to identify (recurring) fallacies 
or to highlight some arguments that are side-tracked or overlooked in current policy and 
academic debates. For example, if an argument is not sound or is fallacious, what can 
be done to criticise it? What channels can be used to provide criticisms in the public 
debate and raise awareness? How can the public be informed of the possible risks? If two 
(or more) arguments are in contrast, is there a way to balance them? Which of the two 
arguments in contrast is the more convincing? Why? Are there any arguments that are 
side-tracked, suppressed, or marginalised? If so, why and by whom? If necessary, how 
can these ‘hidden’ arguments be brought to the attention of the public? If an argument is 
sound, and the initiative is beneficial, how can this be disseminated more effectively? Can 
similar initiatives be proposed in other contexts? How can this be translated into policy or 
new design ideas? If an argument is sound, and the initiative is harmful, how can the risks 
be mitigated? Are there alternative solutions in place that would be less harmful? How can 
this be translated into policy or new design ideas? 

Social acceptance: Through the recommendations, the intention is not that the assessors 
ensure that the initiative is accepted, but rather that they suggest how to address the rea- 
sons of discomfort or resistance. If the assessors conclude, by contrast, that there are few 
reasons of discomfort or resistance, they might recommend some steps to develop or to 
deploy the initiative further. The assessors choose the scope and length of the recommen- 
dations, but below are some suggestions depending on the outcome of the assessment: 

e — If (some) travellers find the initiative acceptable and beneficial, how can these results 
be communicated? How can they be translated into policy initiatives? 

e If (some) travellers find the initiative unacceptable and harmful, how can these harms 
be avoided? Is it possible to achieve the same results through less harmful means? 

e If (some) travellers show different attitudes, how can these attitudes be reconciled to 
distribute harms and benefits more fairly? 


Privacy: Given that in the previous Steps the assessors have already identified which types 
of privacy are applicable and to what extent they are interfered with, in this Step they 
introduce reverse mechanisms. Their objective is to compensate for the limitations to the 
right, depending on the scope of the assessment and the nature of interference (i.e. the 
level of intrusiveness). Such remedies could take the form of additional safeguards, trans- 
parency modalities, right of access and information forms, and explicit consent mecha- 
nisms, to be applied both before and after the use of the technology. When proposing the 
recommendations, the assessors shall ensure that the involved parties, including the users 
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of the technology, are able to be appropriately informed (at least in high-level) about the 
technology under assessment, its explicability, and also the meaning and function of each 
privacy type. There is no standard mathematical formula for assessing the risks to the 
right to privacy. Among best practices, it would be appropriate for the assessors to report 
a misalignment of the envisaged initiative and the technology involved therein, if at least 
one of the privacy types is unnecessarily and/or disproportionately interfered with. 

Legal compliance check against border management law: When a requirement is not 
met, the assessors provide recommendations to ensure that the initiative is adjusted, and 
compliance with the requirement is achieved. The assessors use the ID and sub-ID num- 
bers identified in the previous Step to classify the measures to be taken. The measures re- 
commended can be technical or organisational. For example, an organisation may set up 
accountability measures (e.g. self-monitoring, staff-training). If the default settings of an 
e-gate do not respect the right to privacy, the recommendation would be to change them; 
if a border control technology could not be used by visually impaired persons, the recom- 
mendation would be to modify the design of the technology to make it more inclusive. 
The assessors conclude this Step with an implementation plan in which the responsible 
person, in a separate process, lists the measures and their deadline. 

Upon receipt of the report, the leadership of the organisation makes a decision as to the 
deployment of an envisaged initiative and under what conditions. 


PHASE Ill: EX POST (EVENTUAL) STEPS 


Step 7: Prior Consultation with a Supervisory Authority 


The goal of this Step is to seek advice from an SA in the event that an impact assessment process 
indicates the existence of high residual risk(s) in the absence of measures taken by the data controller to 
mitigate such risk. Since this legal requirement is found only in data protection legislation, it essentially 


concerns only the first element of the benchmark pertaining to data protection. 


The process of integrated impact assessment, to the extent that it incorporates a data protec- 
tion impact assessment, is observed by the domestic SA. In this case, the parts on privacy, 
ethics and social acceptance would not be subject to review and consultation from an SA. 

The communication with the SA is mainly in written form; frequently, the SA will re- 
quire specific forms (templates) to request a prior consultation; the European Data Pro- 
tection Board (EDPB) maintains an up-to-date contact list of its Member SAs. Insofar as 
an SA considers that the envisaged processing operations could infringe the law, it may 
provide a written notice to the data controller within a reasonable time, depending on the 
complexity of the request. An SA might also use its investigative and advisory powers in 
order to scrutinise the impact assessment process formally and substantially. 
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Step 8: Revisiting 


The goal of this Step is to decide whether and when to perform the impact assessment process again, in 


its entirety or in part, under the condition that the envisaged initiative has been deployed. 


Following the criteria defined in Step 3 (under ‘Criteria triggering the revision of the as- 
sessment process ), the assessors perform a review of the impact assessment process when 
necessary. Regarding the case of data protection, this Step is performed when there is a 
change in the risk represented by the processing operations, i.e. if the nature, scope, con- 
text, or purpose of the processing operations have changed, and hence so has the level of 
risk. An impact assessment process then has to be conducted again, in total or in part. 

Apart from the change in the level of risk due to a modification of a data processing 
operation, other factors triggering the revision process are the circumstances of the initi- 
ative’s deployment, such as extending the accessibility of EU large-scale databases to more 
actors, the perception of social acceptance and ethics vis-a-vis a specific technology, and 
possibly the public pressure exercised. 


ONGOING PHASE 


Step A: Stakeholder involvement 


The goal of this ongoing Step, which runs in parallel to each phase, is to consult (typically, seek views), 


throughout the entire process, if practicable, of anybody who holds a stake (interest) in the initiative, re- 


gardless of whether or not they are aware of this and of whether or not the interest is directly articulated. 


Stakeholders are typically identified, informed, involved (consulted) and, eventually, have 
their views considered. Stakeholders whose categories have been stipulated in the Scoping 
Step (Step 2b) are now further identified in this Step. Their involvement is continuous, and 
they are asked about their views on the subject matter of each Step. Information given to sta- 
keholders is robust, accurate, inclusive and meaningful, in plain (understandable) language, 
and may require the preparation of specific documentation, e.g. technical briefings. Having 
gathered the viewpoints of the stakeholders, the assessors consider and take a stance on 
their views, i.e. whether they accept them or not; if the latter, the assessors provide exhaus- 
tive justification for this. Among information, consultation, and co-decision, the choice is 
set at consultation, yet other levels are not excluded, should assessors deem it necessary. 
Data protection: The goal of the stakeholder involvement is to consult (seek views), 
throughout the entire process, of data subjects and/or of their representatives as to the 
envisaged processing operations and privacy interferences. The exact meaning of this legal 
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requirement is not — and cannot be — delineated, due to the subjectivity of the term ‘invol- 
vement and the ‘appropriateness’ of involvement. These, in turn, depend on the degree of 
explicability of a given technology, on the number of relevant parties, and on the size of 
the project, among others. 

Privacy: Beyond the formalities required by data protection legislation, a considerable 
number of stakeholders, with interdisciplinary backgrounds, participate in the public dis- 
course surrounding the right to privacy. Stakeholders that are usually consulted include 
non-governmental organisations (NGOs) that incorporate the protection of fundamental 
and digital rights within the scope of their mission, the government, political parties, the 
police, and other authorities such as the border control authority or the ministry of inter- 
nal affairs, to name a few. 

Ethics: The assessors involve stakeholders in any of the previous Steps, if deemed ne- 
cessary. In Step 1c, in the event that the threshold analysis questionnaire evokes a negative 
result (i.e. no ethics assessment is needed), the assessors consult stakeholders to confirm 
or oppose this outcome, to make the result of the screening more robust. In Step 2a, the 
assessors involve stakeholders (e.g. researchers or policy makers) to provide input as to 
the type of arguments present in the public debate, especially if the team of assessors does 
not possess enough knowledge or skills on the topic. In Step 5, the assessors involve stake- 
holders to carry out the analysis or to integrate or validate its results. Lastly, the assessors 
involve stakeholders to critically assess the arguments, support them in this task, or corro- 
borate/criticise the assessment executed. 

Social acceptance: The assessors may opt to involve additional stakeholders throughout 
the whole acceptance assessment process. In particular, stakeholders may provide their 
opinion on the validation of the results of the acceptance assessment. An example of this 
would be the involvement of experts (e.g. social scientists) to provide an alternative ana- 
lysis of the data collected (Step 5). 


Step B: Quality control 


The goal of this ongoing Step, which runs in parallel to each phase, is to check, internally and/or exter- 
nally, throughout the entire assessment process, whether or not an impact assessment process adheres 


to a given standard of performance and to remedy, if necessary, any irregularities. 


Quality control can be internal, external or both, and take the form of monitoring, review, 
audit, etc. The team of assessors might be required to be updated on the progress of the 
assessment process on a regular or ad hoc basis, or might establish a progress monitoring 
tool or an internal advisory board. The external quality control may be performed by an 
audit organisation hired by the data controller or, alternatively, by an SA, either upon re- 
quest of the data controller or of its own volition (e.g. when required by law). The quality 
control can be structured, permanent or performed on an ad hoc basis; it can be formal 
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(e.g. concerning the compliance with the procedures for an impact assessment process) or 
substantive (e.g. if the risks were appropriately assessed). In case of judicial claims, courts 
of law may review an impact assessment process, either as to its form, its substance or both. 


Step C: Documentation 


The goal of this ongoing Step, which runs in parallel to each phase, is to maintain intelligible records in 


writing or another permanent format (analogue or digital) of all activities undertaken within a given 
assessment process, with due respect for legitimate secrecy. 


Documentation consists of the report and the attachments listed within it, both in draft and 
final form. Assessors also list all the activities undertaken in a given assessment process, 
e.g. draft versions of the report or interactions with data subjects, SAs, etc. It is best prac- 
tice to make (parts of) the present report from an impact assessment process, as well as all 
appendices, publicly available (e.g. on the website of the data controller), with due respect 
for legitimate secrecy. Once the assessment process is revisited, a new version is to also be 
made publicly available, with reference being made within this to any previous version(s). 
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Annex 1: A template for a 
report from the process of 
integrated impact assessment 
on border control technolo- 
gies in the European Union 
and the Schengen Areal 


Nikolaos Ioannipis,* Simone CAsiRAGHI,** Alessandra CaLvr*** and Dariusz KLoza**** 
* Vrije Universiteit Brussel. E-mail: nikolaos.ioannidis@vub.be. 
** Vrije Universiteit Brussel. E-mail: simone.casiraghi@vub.be. 
"77 Vrije Universiteit Brussel. E-mail: alessandra.calvi@vub.be. 


"rz" Vrije Universiteit Brussel. E-mail: dariusz.kloza@vub.be. 
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DOI: 10.46944/9789461171375.al 
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O Public 
O Confidential 
O Specific [explain] 


[Any other details, as practicable] 


[Summarise the most significant information concerning the outcomes of each step of the integrated impact assess- 
ment process. ] 
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Annex 1 - Step 1: Screening (threshold analysis) 


Phase I: preparation of the assessment process 
Step 1: Screening (threshold analysis) 


Step 1a: Preliminary description of the envisaged initiative 


[other, explain] 


= 
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Personal data protection screening (threshold analysis) 


Positive criteria 


Criterion 1: The envisaged processing operations are 
likely to result in a high risk to the rights and freedoms of 
natural persons (general) 


Criterion 2: Processing operations deemed highly risky 


2a. Processing operations entailing systematic and 
extensive evaluation of personal aspects relating to 
natural persons which is based on automated pro- 
cessing, including profiling, and on which decisions 
are based that produce legal effects concerning the 
natural person or similarly significantly affect the 
natural person 


2b. Processing operations regarding special categories 
of data, or personal data relating to criminal convic- 
tions and offences on a large scale 


2c. Processing operations entail a systematic monito- 
ring of a publicly accessible area on a large scale 


Criterion 3: Processing operations included in the public 
list of processing operations that require a data protection 
impact assessment compiled by the DPA(s) to which 
jurisdiction(s) the data controller is subject 


Criterion 3bis: Processing operations that require a 
DPIA as included in a code of conduct to which the data 
controller is subject 


[other, cf. Step 2a: Benchmark; explain] 


DECISION 
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Legal 
provision 


35(1) 


35(3)(a) 


35(3)(b) 


35(3)(c) 


35(4) 


40 


Applicable? 


[| 


Explanation 


required 


not required 
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Negative criteria 


Legal 
provision 


Applicable? 


Explanation 


[other, cf. Step 2a: Benchmark; explain] 


167 


Border Control and New Technologies 


Step 1bb: Ethics and social acceptance screening 


Ki 

Ka 

S 

Could the initiative result in the development and/or use of technologies and/or e 

processing activities that: E Explanation 

ee eee | 
| R 
Go eee el S 
EE e- 
DREES H 
Pee - 
hie - 
Oo 

Oo 


168 


Annex 1 - Step 1: Screening (threshold analysis) 


Step 1bc: Privacy screening 


Could the initiative result in the development and/or use of technologies and/or 
processing activities that: 


Applicable? 


Explanation 


ao 


Oo 


a 
E 
3 
3 
bi 
s 
oe 
wu 
ER) a 


[Explanation] 
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Step 2: Scoping 


Step 2a: Benchmark 


Step 2aa: Personal data protection 


Applicable laws and regulations 


lex generalis 


UH DUDU DUDU DUDU 0n 0n ü 0n n UD DUDU DU DU DU O O Applicable? 


[other, general sources for personal data protection, explain] 


lex specialis 


[other, specific sources for personal data protection, explain] 
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Explanation 
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Applicable? 


Applicable laws and regulations Explanation 


by-laws 
Qa Qa 


[other, explain] 


Explanation 


Scope of the assessment process Legal provision 


DD DD QO O Applicable? 


QO 


E 


aoaaa 


[other, explain] 
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Step 2ab: Ethics 


Theory Argument 


Examples 

1.1 The initiative is (not) based on universal principles 
1.2 The initiative is (not) based on universal values 
rees 


2.1 The initiative is presented as a panacea for long-las- 
ting social problems 


2.2 It is inevitable that the initiative will become ubi- 
quitous in society 


2.3 It is inevitable that “traditional” border checks will 
disappear 


2.4 The initiative is the only way to solve problems of 
security and improve efficiency 


IK 


3.1 The initiative is (not) neutral 
3.2 The initiative is (not) biased 
Se 


4.1 The initiative is likely to propose problems that have 
happened in the past 


4.2 The initiative is likely to solve problems that have 
happened in the past 


4.3 The initiative is likely to promote benefits that have 
happened in the past 


AX... 


5.1 The initiative will change people's ethical values (such 
as autonomy) 


5.2 The initiative will change/improve people’s ethical 
behaviour 


5.3 The initiative will change/improve people's ethical 
judgements 


5.4 The initiative affects the autonomy of border guards’ 
decision-making 


IRon 


172 


O OQ O Applicable? 
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ID Theory Argument 


Examples 


6.1 The initiative, if developed on a large scale, can give 
rise to uncontrollable effects 


6.2 If we do not implement T now, we will suffer uncon- 
trollable effects 


6.3 The initiative bears the risk of “function creep” 
OX coo 


7.1 The initiative will respect principle X, regardless of 
the consequences 


7.2 The initiative is designed respecting the principle/ 
value X 


7.3 There is a categorical prohibition (e.g. “red line”) for 
certain uses of the initiative 


7.4 The initiative (does not) respect the human right X 


7.5 The initiative is not in line with the Code of conduct 
X 


TR 


8.1 The initiative brings about (economic) benefits that 
will outweigh the costs 


8.2 The initiative will increase security despite an infrin- 
gement of privacy 


8.3 The initiative will make border crossing/control more 
efficient 


8.4 The initiative can be misused or used for military 
purposes 


GE 
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Applicable? 


El 


ID Theory 
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Argument 


Examples 


9.1 The initiative is (not) equally accessible to everyone 
(e.g. people in wheelchairs, third-country nationals) 


9.2 Only/mostly some people will benefit from the initia- 
tive (e.g. bona fide travellers) 


9.3 Some people are more prone to be considered high- 
risk travellers (e.g. third country nationals) 


9.4 There are risks of bias or stigmatisation when using 
the initiative 


9.5 The accuracy of the initiative is unreliable for certain 
categories of people 


E 


Step 2ac: Social acceptance scoping 


Perspective 


Applicable? 


Stakeholders considered for Acceptance assess- 
acceptance assessment ment technique Explanation 
D 
o 
o 
[other, explain] fE 
D 
o 
o 
D 
Local stakeholders D 


174 


Applicable? 
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Step 2ad: Privacy 


Would it affect...? Explanation 


O00 0 0 0 QO OD Applicable? 


Step 2b: Stakeholders and their consultation techniques 


Internal stakeholders 


E 
Si 
$ Level of Stakeholder involve- 
Category of stakeholder EI involvement ment techniques Explanation 
Data procesor) ` 7 
Ee 3 
| Recipiento geg D 
| Third parties (Aides) 
` Representative(s) nde! 0 
` information security ofie) O 
| Tegalsari D 
Lto o oo ` 


[other, specify] 
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External stakeholders 


Stakeholder 
Level of involvement 


Involved? 


Category of stakeholder involvement techniques Explanation 


[Anybody else affected, etc., 
specify] 
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Step 2c: Appraisal techniques 


Element 
of the 


benchmark Technique 


Applicable? 


Explanation 


a 


(other, specify] o 
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Step 2d: Other evaluation techniques 


Ki 
Ka 
Š 
Å: 

Technique x Explanation 
o 
o 
o 

[other, specify] o 

Comments 
[Explanation] 
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Step 3: Planning and Preparation 


Specific objectives of the assessment process 


Objective Explanation 


0 0 OQ Applicable? 


{other, specify] 


Criteria for the acceptability of negative impacts 


Ki 
Ka 
Š 
B 

Objective x Explanation 
DI 
DI 
DI 
DI 
DI 

{other, specify] D 

Resources 
Value(s) Explanation 
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Value(s) Explanation 
[other, specify] 


Procedures and timeframes for the assessment process 


Milestone Deadline Responsibility Supervision 
si 
Assessor(s) 
Name If external: Contact Expertise Roles and Other 
organisation details responsibilities information 


E [Specify] [Leader] 
EN 


Stakeholders 


[Provide contact details of all stakeholders to involve in the present impact assessment process and a consultation 


plan, if necessary. ] 


Continuity of the assessment process 


[How would the present assessment process be continued in the event of a disruption, reorganisation, etc. of the 


sponsoring organization?] 
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Criteria triggering the revision of the assessment process 


% 
Ka 
Š 
À 
Criterion x Explanation 
| Change oflikelihood and/or severity ofarsk ` " 
[Other, specify] Oo 
Comments 


[Explanation] 
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Ongoing Steps for Phase | 
Step A: Stakeholder involvement 


Internal stakeholders 


What information has What input have the How was their input 
been communicated to stakeholders provided included? Why was it 
Category of stakeholders stakeholders? (e.g. opinion)? rejected? 
(other, specify] 
External stakeholders 
What information What input have the How was their input 
has been communi- stakeholders provi- included? Why was 
Category of stakeholders cated to stakeholders? ded (e.g. opinion)? it rejected? 
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[Anybody else affected, 
etc., specify] 


Lack of stakeholder involvement in the present phase 


[If stakeholders are not involved in the present phase of the impact assessment process, explain why. ] 
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Step B: Quality control 


What feedback was How was the feedback implemented? 
Quality control body received? Why was it rejected? 


(Other, specify] 


Comments 


[Explanation] 
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Phase Il: Assessment 
Step 4: Systematic (detailed) description of the initiative 


a) A succinct description of the envisaged initiative 


[Explanation] 


b) Personal data protection 


Overview 


Explanation 


Contextual description 
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Explanation 


Technical description 


[Other, explain] 


Diagram of personal data flows and/or other visualisations 


[Insert a diagram] 
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Explanation 


Ei a 
3 = 
3 = 
5 DI 
er CY 
v < 


[Explanation] 
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Step 5b: Ethics assessment 


Stage 1: 


ID 


Lo 
E: 
D 
Q 
bh 
N 


IDs 


Analysis 


Questions 
How is the initiative (not) in line with universal values or principles? 


How is the initiative presented in a deterministic way? Is it a positive 
or negative picture? 


Why is the initiative (not) neutral? 


Is the initiative legitimised by similar technologies that already 
worked in the past? Or is it legitimised by reference to a dystopian 
future? 


How is the initiative said to change our values or ethical principles? 


How does the use (or lack of use) of the initiative cause uncontrol- 
lable effects? 


How does the initiative protect principles/rights/duties before con- 
sequences? Which principles/rights/duties are respected, and which 
are infringed? 


Why is the initiative said to produce more benefits than costs? How 
is the argument justified? 


How are the risks and benefits of the initiative distributed between 
different groups? Which groups are discriminated and how? 


> 
a 
a 
oO 
a 
ki 
3 
bd 
5 
rt 


Assessment 


Questions Conflict Counterarguments or fallacies 


Are the values/principles 
invoked universal? Or are they 
instead local? 


Will the initiative materialise 
independently of what people 
think and decide? 

Or is there some room for 
alternatives? 


Is the initiative neutral or 
biased? 


Does the parallel with the past/ 
future hold? 
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Questions 


To what extent does the initia- 
tive change our morality? 


Can more and more similar 
initiatives ultimately lead to a 
dystopian future if used on a 
larger scale, although it seems 
innocuous at first? 


Do the principles/rights/duties 
invoked actually justify the 
initiative? 

Are invocations to principles/ 
rights/duties side-tracked by 
consequentialist arguments? 
Can one principle/right/duty 
be outweighed by another? If 
so, how do you balance compe- 
ting principles? 


Are the promises of the initia- 
tive plausible? 

Is there a better alternative to 
the initiative (e.g. less invasive) 
that is technically and econo- 
mically feasible? 

What are the possible unin- 
tended side effects? 

Do costs outweigh benefits? 
Or are the costs and risks 
downplayed? 


Is (the access to) the initiative 
distributed equally between 
travellers? 

Is (the access to) the initiative 
distributed on the basis of the 
needs of the travellers? 

Are distributive justice 
arguments side-tracked by 
consequentialist ones? 

Are discriminatory issues 
sufficiently addressed? 
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Assessment 


Conflict 
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Counterarguments or fallacies 
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Step 5c: Social acceptance assessment 


Stage 1: Analysis 
Acceptance assessment 
ID technique Type of analysis Findings and patterns (summary) 
Quantitative o 


Qualitative 


Mix 


Stage 2: Assessment 


Positive or negative 


ID consequences Stakeholders affected 
Ie 
ly... 
IA 560 
E 


Step 5d: Privacy assessment 


Technology implemented 
(repeat and justify for each) 


Description of impact 
Proportionality 


Legality 
Essence 
Legitimacy 
Necessity 


00/01/0101 RSR 0J € EIH 
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ID 
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Step 5e: Legal compliance requirements 


Description 


Have the responsibilities of 
controllers and processors 
been allocated in accordance 
with the law? 


[other, specify] 


Has a legal basis grounding 
the personal data processing 
been identified? 


[other, specify] 


Are the purposes for which 
a border control technology 
processes personal data in 
line with those specified in 
the relevant legal and other- 
wise regulatory framework 
applicable to it? 


[other, specify] 


= 


Does the border control 
technology process only 
the personal data that is 
adequate, relevant and 
not excessive for the 
specific border control 
activity? 


P 


Does the border control 
technology ensure that 
only specific categories 
of personal data are 
processed? 


(other, specify] 
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Applicable? 


Compliance? 


Explanation 


ID 


Description 


Annex 1 - Step 5: Appraisal of Impacts 


Where inaccurate or outdated 
information is stored in a 
database, are mechanisms 
place to ensure that the infor- 
mation is erased or updated 
within a specific period of 
time, and that the changes 

are communicated to those 
(authorities) concerned? 


(other, specify] 


Does the border control tech- 
nology comply with minimum 
data quality standards for 
biometric data? 


(other, specify] 


1. Does the border control 
technology ensure that 
data is automatically de- 
leted once the retention 
period elapses? 


2. Does the border control 
technology ensure that 
logs are deleted once the 
retention period elapses? 


[other, specify] 


Has the organisation adopted 
technical and organisational 
measures to ensure the securi- 
ty of the data processed by the 
border control technology? 

e security, business con- 
tinuity and disaster and 
recovery plan 

e fall-back procedures 

* encryption 

e etc. 


[other, specify] 


197 


Applicable? 


Compliance? 


Explanation 


Border Control and New Technologies 


Y 
So og 
Š È 
D & Š , 
ID Description x Q Explanation 
Does the border control 
authority have accountability 
measures in place? 
e logs/records of processing 
activities 
- staff training D Oo 
e self-monitoring 
` professional secrecy 
e reports of security 
incidents 
. etc. 
[other, specify] 


1. Are data subjects gran- 
ted the possibility to 
exercise their rights? 

e information 
e access 
e rectification 
. cawe o g 
e restriction of pro- 
cessing 
e to not be subjected 
to a decision solely 
based on automated 
decision making 
e etc. 


[other, specify] 


Are personal data transfers 
to third countries and/or 
international organisations 
e e D Oo 
and/or private entities either 
not allowed or restricted to 
very specific cases? 


[other, specify] 
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ID ———— ee 


Compliance? 


Explanation 


Do Bee OU specific staff 

members of pre-defined 

national competent 

authorities have access o O 
to data processed by the 

border control techno- 

logy? 


Do only specific staff 

members of pre-defined 

EU agencies have access 

to data processed by 

the border control tech- o D 
nology insofar as it is 

necessary to fulfil their 
mandate or exercise 
their tasks? 


[other, specify] 


Does the border control tech- 

nology ensure that the o g 
processing of personal data 

respects one’s private life? 


[other, specify] 


Does the border control 

technology ensure that the 

processing of personal data Oo O 
respects the (bodily) integrity 

of individuals? 


[other, specify] 


Have privacy considerations 

been embedded in the border o 
control technology for its 

entire lifecycle? 


[other, specify] 
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Applicable? 
Compliance? 


ID Description 


Explanation 
Are the default settings of the 
border control technology 
the most privacy-friendly 
possible? 


o 
E] 


[other, specify] 


Is the public informed 

about the existence of o T 
the border crossing 

point? 


ik 
2. Is the public infor- 
med of the temporary S S 
reintroduction of border 
controls? 


(other, specify] 


May a person opt to not 
use a border control (m D 
technology (e.g. e-gate)? 


to not use the border 

control technology not D D 
discriminated against for 

their choice? 


1 
2. Are persons who opt 
[ 


other, specify] 


Are restrictions in place for 
S D (mi 

dual-use items? 

Other / specify 

Is the use of the border con- 

trol technology fair towards o Oo 
third-country nationals? 

[other, specify] 
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ID 


Description 


Annex 1 - Step 5: Appraisal of Impacts 


1. Does the use of the bor- 
der control technology 
not result in inhuman or 
degrading treatment? 


2. Is the procedure of 
taking fingerprints in 
accordance with safe- 
guards in CFR? 


[other, specify] 


Has the technology been de- 
veloped in such a way that the 
processing of personal data 
will not result in discrimina- 
tion against persons on any 
grounds, such as gender, race, 
colour, ethnic or social origin, 
genetic features, language, 
religion or belief, political or 
any other opinion, member- 
ship of a national minority, 
property, birth, disability, age 
or sexual orientation? 


[other, specify] 


Has the border control 
technology been designed in 
such a way to be used by all 
persons, except for children 
under 12 years of age, to the 
fullest extent possible? 


[other, specify] 
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Applicable? 


ao 


Compliance? 


Explanation 
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Applicable? 
Compliance? 


ID Description 


Explanation 


= 


Are children under a 
certain age exempted 
from giving fingerprints? 


a 
a 


Si 


Are alerts regarding 

children admissible only 

in restricted cases and o D 
to safeguard the best 

interest of the child? 


ee 


Are alerts concerning 

children deleted when 

the child reaches the age 

of majority and in the D D 
circumstances specified 

in Article 55 SIS Regula- 

tion 1862? 


Da 


Are queries in the CIR 

against minors of 12 

years or under allowed, D D 
except when in the best 

interest of the child? 


(other, specify] 


1. Are alerts concerning 
vulnerable persons 
admissible only in 
restricted cases? 


2. Are the alerts concerning 
vulnerable persons dele- 
ted in the circumstances o o 
specified in Article 55 
SIS Regulation 1862? 


3. Have border guards 
received specialised trai- 
ning for detecting and 
dealing with situations 
involving vulnerable 
persons? 


[other, specify] 
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= = 
& & 
ID Description x oO Explanation 
1. Are the individuals not 
subject to refoulement? g g 
Do they have the possi- 
bility to ask for asylum? 
2. Are the rights of people 
in need of international 4 + 
protection taken into 


special account? 


[other, specify] 


Other evaluation techniques 


Assessment Recommendations 


[Explanation] [Explanation] 


Comments 


[Explanation] 
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Step 6: Recommendations 


Recommendations concerning ethics 


Response plan 
Counter- p P 


ID Conflicts arguments Fallacies Measure Responsible Deadline 


Recommendations concerning social acceptance 


Response plan 
ID Users Critical points Measure Responsible Deadline 
Recommendations concerning privacy 
Response plan 
Aspect(s) of Ge? 
Technology privacy Interference Measure Responsible Deadline 


Recommendations concerning legal compliance 


Response plan 


ID Measure Responsible Deadline 
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Annex 1 - Step 6: Recommendations 


Other evaluation techniques 


[Explanation] 


Recommendations 


Decision of the sponosoring organisation 


Synthesis of recommendations and its justification 
ES e Bags 
Decision of the sponosoring organisati- 
Overall recommendation on and its justification 


D to deploy the initiative without changes 


IS to modify the initiative [Specify how] 

o to cancel the initiative [Specify why] 
Comments 

[Explanation] 
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Ongoing Steps for Phase II 


Step A: Stakeholder involvement 


Internal stakeholders 


Category of stakeholder 


(other, specify] 


External stakeholders 


Category of stakeholder 


What information 


What input have 


has been the stakeholders How was their input 
communicated to provided included? Why was 
stakeholders? (e.g. opinion)? it rejected? 
What informa- What input have How was their 
tion has been the stakeholders input included? 
communicated to provided Why was it 
stakeholders? (e.g. opinion)? rejected? 
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Annex 1 - Ongoing Steps for Phase II 


What informa- 

tion has been 

communicated to 
Category of stakeholder stakeholders? 


[Anybody else affected, etc., specify] 


Lack of stakeholder involvement in the present phase 


What input have 
the stakeholders 
provided 

(e.g. opinion)? 


How was their 
input included? 
Why was it 
rejected? 


[If stakeholders are not involved in the present phase of the impact assessment process, explain why. ] 
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Step B: Quality control 


How was the feedback implemen- 
Quality control body What feedback was received? ted? Why was it rejected? 


(Other, specify] 


Comments 


[Explanation] 
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Annex 1 - Step 7: Prior Consultation 


Phase IIl: Ex post (eventual) steps 


Step 7: Prior Consultation 


[other, explain] 


Comments 


[Explanation] 


Contextual description 


Technical description 


Step 8: Revisiting 


Criterion 


[Other, explain] 


EI 
EI 
D 
m 
D 
CH 
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Change? 


o 
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Explanation 


Annex 1 - Step 8: Revisiting 


Overall suggestion 


What should be done 
with the assessment process? When? 
O entirely [Specify] 
O revise 
O in part [Specify] [Specify] 
O do not revise [Specify why] 
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Decision of the sponsoring organi- 
sation and its justification 
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Ongoing Steps for Phase III 


Step A: Stakeholder involvement 


Internal stakeholders 


What information What input have the How was their input 
has been communi- stakeholders provi- included? Why was 
Category of stakeholder cated to stakeholders? ded (e.g. opinion)? it rejected? 
(other, specify] 
External stakeholders 
What informa- What input have How was their 
tion has been the stakeholders input included? 
communicated to provided (e.g. Why was it 
Category of stakeholder stakeholders? opinion)? rejected? 
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Annex 1 - Ongoing Steps for Phase III 


What informa- 

tion has been 

communicated to 
Category of stakeholder stakeholders? 


[Anybody else affected, etc., specify] 


Lack of stakeholder involvement in the present phase 


What input have 
the stakeholders 
provided (e.g. 
opinion)? 


How was their 
input included? 
Why was it 
rejected? 


[If stakeholders are not involved in the present phase of the impact assessment process, explain why. ] 


213 


Border Control and New Technologies 


Step B: Quality control 


How was the feedback implemented? 
Quality control body What feedback was received? Why was it rejected? 


[Other, specify] 


Comments 


[Explanation] 
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Annex 1 - Ongoing Steps for Phase III 


Step C: Documentation 


Confidentiality 


Attachment level Comments 


s 
xv 
a 
= 
o 
oO 
o 
o 
a 


E| 


confidential El 


confidential 
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zs 

y 

Confidentiality 2. 

Attachment level E Comments 
ee i 
a esl S 
DËS l 
[Reports from other evaluation techniques; specify] o 
[other, explain] 


Comments 


[Explanation] 
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Annex 1 - Closing Page 


Closing Page 


Endorsements 


Responsibility Name Remarks Date Signature 


[other, explain] 


Endnotes 


Í; Based on: Dariusz Kloza et al., “Data Protection Impact Assessment in the European Union: 
Developing a Template for a Report from the Assessment Process,” d.pia.lab Policy Brief 
(Brussels: VUB, 2020), https://doi.org/10.31228/osf.io/7qrfp. 
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Annex 3: Inventory of 
appraisal techniques 


Nikolaos IoANNIDIS 


Vrije Universiteit Brussel. E-mail: Nikolaos.loannidis@vub.be. 


3.1 Introduction 


There are multiple ‘recipes’ for a proper impact assessment process. The purpose of this 

Annex is to provide a reference point and a knowledge base for conducting the process 

of integrated impact assessment of border control technologies. The Annex provides an 

overview of the appraisal and evaluation techniques, categorised as follows: 

1) appraisal techniques that are explicitly referred in the General Data Protection Regu- 
lation (GDPR) and hence legally required to be used in the process of data protection 
impact assessment (DPIA) in the EU; 

2) supplementary appraisal techniques that are compatible with the GDPR as far as the 
processes of DPIA and integrated impact assessment is concerned; and 

3) evaluation techniques that are stand-alone, borrowed from other areas of practice, 
and can be integrated within the process of impact assessment; these evaluation tech- 
niques employ one or more appraisal techniques. 


Under the first category are the appraisal methods explicitly stipulated in the GDPR. For 
the process of DPIA, the assessors use the following appraisal techniques: (i) assessment 
of necessity and proportionality of the personal data processing operations in relation to 
the purposes of the technology and (ii) assessment of the risks to the rights and freedoms 
of data subjects. The second category comprises closely related appraisal methods, which 
could be used more broadly on different types of assessments, not exclusively for DPIA. 
For example, cost-benefit analysis belongs to this category and can be used to supple- 
ment risk assessment legally required by the GDPR. Finally, the third category comprises 
stand-alone evaluation techniques with a view of their possible integration, such as tech- 
nology foresight and environmental impact assessment (EIA). 


DOI: 10.46944/9789461171375.a3 
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Several appraisal or evaluation techniques can be combined in order to conduct a process 
of integrated impact assessment, depending on the benchmark under assessment and the 
context in which the impact assessment process is utilised. Using one technique does not 
usually exclude or render obsolete the others. On the contrary, such a combination is fre- 
quently considered as best practice. There clearly exist many appraisal and evaluation tech- 
niques, of various levels of quality and applicability. Their abundance is due to the need for 
tailored solutions, adapted to the specific context of assessment. Additionally, the fact that 
impact assessment is an adaptable ‘living instrument’ results in existence of numerous versi- 
ons and adaptations of the final impact assessment process. 

Due to the evolving character of the concept of impact assessment, this Annex cannot 
be considered exhaustive. Although it extends as far as bringing together the well-establis- 
hed EIA with the newly conceived and relatively unclear concept of artificial intelligence 
impact assessment, there is no ‘silver bullet’ for selecting and combining the appraisal 
techniques that will be best adapted for an integrated impact assessment process. 

This Annex is structured as follows: under each appraisal or evaluation technique, a 
list follows with corresponding sources prominent in the field (either academic or from 
the area of policymaking) (Sections 2-4). For instance, for DPIA, numerous methods and 
templates have been developed; however it is impossible to list each and every one of them. 
The scope of this Annex does not extend to the matter of combining several appraisal and 
evaluation techniques, although the list of sources under each technique indicates its affi- 
nity with others. In addition, Section 5 is dedicated to attempts to develop techniques for 
ranking technologies as to their invasiveness into societal values. 


3.2 Appraisal techniques explicitly required by the 
General Data Protection Regulation 


3.2.1 Assessment of necessity and proportionality 


3.2.1.1 Overview 
The necessity and proportionality assessment refers first and foremost to the observance 
of the personal data protection principles. In particular, it is connected to the principle 
of purpose limitation. It first asks about the purpose of the data processing operation, 
whether ‘the processing could not be reasonably fulfilled by other means’ and whether the 
personal data would be ‘collected for specified, explicit and legitimate purposes and not 
further processed’ in a way that is inconsistent with those purposes.’ 

This assessment further pertains to the principle of lawfulness of processing, alongside 
the principles of data minimisation, accuracy and storage limitation, security of proces- 
sing, and also data protection by design and by default. In other words, it asks whether the 
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personal data would be ‘processed lawfully, fairly and in a transparent manner, whether it 

would be ‘adequate, relevant and limited to what is necessary in relation to the purposes, 

whether it would be ‘accurate and, where necessary, kept up to date’ or whether it would 
be stored for any longer than necessary.’ 

Often, the envisaged initiative under assessment may voluntarily be additionally exa- 
mined against the entirety of human rights limitation criteria. In other words, while the 
entirety of the provisions of the GDPR, and especially the personal data protection prin- 
ciples, is meant to observe human rights limitation criteria, there might be instances that 
would give rise to the questioning of such an assumption. This scenario could happen in 
the provisions about a national exemption or derogation from the GDPR (Article 85). The 
five limitation criteria, following the Charter of Fundamental Rights, are: 

e legality, i.e. if a basis for a data processing operation is provided for by law of a suf- 
ficient quality, e.g. clarity, accessibility, precision, foreseeability, conformity with the 
rule of law; 

e the respect for the essence of a right, i.e. if the interference with a fundamental right 
does not make it impossible to exercise a right; 

e legitimacy, i.e. if a processing operation serves a given general interest or protects the 
rights and freedoms of others; 

e necessity, i.e. if a processing operation is necessary and if it genuinely meets legitimate 
objectives; and 

e proportionality sensu stricto (e.g. balancing), e.g. if the least intrusive option has been 
chosen. 


3.2.1.2 Assessment techniques 


Article 29 Data Protection Working Party 

e Article 29 Data Protection Working Party, Guidelines on Data Protection Impact Assessment (DPIA) 
and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 
2016/679 (Brussels: 2017), https://www.cnil.fr/sites/default/files/atoms/files/20171013_wp248_ 
rev01_enpdf_4.pdf. 


European Data Protection Supervisor (EDPS) 
e European Data Protection Supervisor [EDPS], Accountability on the ground. Part II: Data Protection 
Impact Assessments & Prior Consultation (Brussels: 2018), https://edps.europa.eu/sites/edp/files/ 


publication/18-02-06_accountability_on_the_ground_part_2_en.pdf. 


EDPS, Assessing the necessity of measures that limit the fundamental right to the protection of perso- 
nal data: A Toolkit (Brussels: 2017), https://edps.europa.eu/sites/edp/files/publication/17-04-11_ 
necessity_toolkit_en_0.pdf. 

EDPS, Guidelines on assessing the proportionality of measures that limit the fundamental rightsto 
privacy and to the protection of personal data (Brussels: 2019), https://edps.europa.eu/sites/edp/files/ 
publication/19-12-19_edps_proportionality_guidelines2_en.pdf. 
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Commission Nationale de l'Informatique et des Libertés (CNIL) 
- CNIL, Privacy Impact Assessment (PIA). Templates (Paris, 2018), https://www.cnil.fr/sites/default/ 


files/atoms/files/cnil-pia-2-en-templates.pdf. 
CNIL, Privacy Impact Assessment (PIA). Methodology (Paris, 2018), https://www.cnil.fr/sites/default/ 
files/atoms/files/cnil-pia-1-en-methodology.pdf. 


3.2.2 Assessment of a risk to the rights and freedoms of data subjects 


3.2.2.1 Risk assessment: an overview 

Risk assessment is the overall process of risk identification, risk analysis and risk evalua- 
tion. In particular, the purpose of risk analysis is to comprehend the nature of risk and its 
characteristics, including the level of risk. Risk analysis involves a detailed consideration 
of uncertainties, risk sources, consequences, likelihoods, events, scenarios, controls, and 
their effectiveness. 

Risk analysis can be undertaken with varying degrees of detail and complexity, depen- 
ding on the purpose of the analysis, the availability and reliability of information, and the 
resources available. Analysis techniques can be qualitative, quantitative or a combination 
of these, depending on the circumstances and intended use. 

Consequent to risk analysis is the evaluation of the risks. This step involves comparing 
the results of the risk analysis with the established risk criteria to determine where addi- 
tional action is required. 


3.2.2.1.1 Qualitative risk analysis 

Qualitative risk analysis uses a scale of qualifying attributes to describe the magnitude of 
potential consequences (e.g. low, medium and high) and the likelihood that those con- 
sequences will occur. An advantage of qualitative analysis is its ease of understanding by 
all relevant personnel, while a disadvantage is the dependence on the subjective choice of 
the scale. These scales can be adapted or adjusted to suit the circumstances, and different 
descriptions can be used for different risks. Qualitative analysis should use factual infor- 
mation and data, where available, and can be used: 

1. as an initial screening activity to identify risks that require more detailed analysis; 

2. where this kind of analysis is appropriate for decisions; 

3. where numerical data or resources are inadequate for a quantitative risk analysis. 


3.2.2.1.2 Quantitative risk analysis 

Quantitative risk analysis uses a scale with numerical values (rather than the descriptive 
scales used in qualitative risk analysis) for both consequences and likelihood. The quality 
of the analysis depends on the accuracy and completeness of the numerical values and the 
validity of the models used. 
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Quantitative risk analysis, in most cases, uses historical incident data, providing the 
advantage that they can be related directly to the information security objectives and con- 
cerns of the organisation. A disadvantage of the quantitative approach can occur where 
factual, auditable data are not available, thus creating an illusion of worth and accuracy of 
the risk assessment. The way in which consequences and likelihood are expressed and the 
ways in which they are combined to provide a level of risk, will vary according to the type 
of risk and the purpose for which the risk assessment output is to be used. The uncertainty 
and variability of both consequences and likelihood should be considered in the analysis 
and communicated effectively. 


3.2.2.2 Risks to the rights and freedoms in data protection law: an overview 

The concept of risk assessment within the scope of data protection law is understood to 
refer to the risks to the rights and freedoms of data subjects. On the grounds of the GDPR, 
risk is understood as a negative consequence arising from processing operations, which 
may or may not occur in the future. Such a consequence, if materialised, would produce 
physical, material, or non-material damage to natural persons (largely, data subjects) and 
not solely to the controllers or processors. Such risk includes, for example, discrimination, 
identity theft or fraud, financial loss or damage to reputation, loss of confidentiality, unau- 
thorised reversal of pseudonymisation, any significant economic or social disadvantage, 
loss of control over personal data, and processing of unauthorised sensitive data or data 
from vulnerable natural persons, in particular children. 

The classic method for assessing risk typically combines two measurements, namely its 
likelihood (or probability) and its severity. Risk can be assessed qualitatively, quantitative- 
ly or through a combination of these.’ There are aspects of personal data protection that fit 
into the former (i.e. risk to rights and freedoms) and the latter (e.g. data security). 

Quantitative risk assessment measures the probability of occurrence of a risk, and com- 
bines this with its level of severity. Probability is expressed on a scale ranging from 0 to 
1. In turn, qualitative risk assessment instead uses levels of likelihood (e.g. a four-partite 
descriptive scale of negligible, low, medium and high) to be combined with its severity. 
Eventually, severity of a risk indicates a magnitude of damage should a risk materialise. 
It can be equally expressed on a 4-partite descriptive scale. Both scales — likelihood and 
severity — are pre-defined and justified. 
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3.2.2.3 Assessment techniques 


International Organization for Standardization (ISO) 
ISO 31000:2018 Risk management - Guidelines, https://www.iso.org/standard/65694.html. 
ISO 27005:2018 Information technology — Security techniques - Information security risk manage- 


ment, https://www.iso.org/standard/75281.html. 
ISO 22301:2019 Security and resilience - Business continuity management systems - Requirements, 
https://www.iso.org/standard/75106.html. 


National Institute of Standards and Technology (NIST) 
e SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System 
Life Cycle Approach for Security and Privacy, https://doi.org/10.6028/NIST.SP.800-37r2. 


3.3 Supplementary appraisal techniques compatible 
with the General Data Protection Regulation 


3.3.1 Scenario analysis (planning) 


3.3.1.1 Overview 

Scenario analysis is conducted with the aim of analysing the impacts of possible future 
events on the system performance by taking into account several alternative outcomes, 
ie. scenarios, and presenting different options for future development paths, resulting in 
varying outcomes and corresponding implications. 

It is the process of forecasting the expected value of a performance indicator, given a 
time period, occurrence of different situations, and related changes in the values of system 
parameters under an uncertain environment. Scenario analysis can be used to estima- 
te the behaviour of the system in response to an unexpected event, and may be utilised 
to explore the changes in system performance, in a theoretical best-case (optimistic) or 
worst-case (pessimistic) scenario. 

Key steps in scenario analysis are: a) identification of the scenario field, b) identification 
of key factors, c) analysis of key factors, d) scenario generation, and e) scenario transfer. 
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3.3.1.2 Assessment techniques 


Celeste Amorim Varuma and Carla Meloa, “Directions in Scenario Planning Literature - A Review 
of the Past Decades,’ Futures 42, no. 4 (2010): 355-69, https://doi.org/10.1016/j.futures.2009.11.021. 
Hannah Kosow and Robert Gaßner, Methods of Future and Scenario Analysis. Overview, Assessment, 
and Selection Criteria (2008), https://www.econstor.eu/bitstream/10419/199164/1/die-study-39.pdf. 
MS Reed, J. Kenter, A. Bonn, K. Broad, T.P. Burt, I.R. Fazey, E.D.G. Fraser, K. Hubacek, D. 
Nainggolan, C.H. Quinn, L.C. Stringer, F. Ravera, "Participatory scenario development for en- 
vironmental management: A methodological framework illustrated with experience from the UK 
uplands," Journal of Environmental Management 128 (2013): 345-362, https://doi.org/10.1016/j. 
jenvman.2013.05.016. 

Philip Notten, Scenario Development: A Typology of Approaches, Think Scenarios, Rethink Education 
(2006), https://www.oecd.org/site/schoolingfortomorrowknowledgebase/futuresthinking/scenarios/ 
scenariodevelopmentatypologyofapproaches.htm. 

Yousra Tourki, Jeffrey Keisler, and Igor Linkoy, I., "Scenario analysis: a review of methods and ap- 


plications for engineering and environmental systems", Environment Systems & Decisions 33 (2013): 
3-20, https://doi.org/10.1007/s10669-013-9437-6. 


3.3.2 Technology foresight 


3.3.2.1 Overview 

Foresight is a systematic, participatory, future-intelligence-gathering, and medium-to- 
long-term vision-building process aimed at present-day decisions and mobilising joint 
actions. 

Research foresight is “the process involved in systematically attempting to look into 
the longer-term future of science, technology, the economy and society with the aim of 
identifying the areas of strategic research and the emerging generic technologies likely to 
yield the greatest economic and social benefits. 

Technology foresight is a systematic means of assessing those scientific and technologi- 
cal developments, which could have a strong impact on industrial competitiveness, wealth 
creation and quality of life. 

Future-oriented technology analysis methods include, among others: creativity ap- 
proaches, monitoring and intelligence, descriptive methods, matrices, statistical and trend 
analyses, road mapping, economic analyses, modelling and simulation.* 
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3.3.2.2 Assessment techniques 


e Cinzia Battistella and Alberto E De Toni, “A methodology of technological foresight: A proposal 
and field study,” Technological Forecasting and Social Change 78, no. 6 (2011): 1029-1048, https://doi. 
org/10.1016/j.techfore.2011.01.006. 

M. Hussain, E. Tapinos, and L. Knight, “Scenario-Driven Roadmapping for Technology Foresight,” 


Technological Forecasting and Social Change 124 (2017): 160-77, https://doi.org/10.1016/j.techfo- 
re.2017.05.005. 

Alan L. Porter, “Technology foresight: types and methods,’ International Journal Foresight and 
Innovation Policy 6, no. 1/2/3 (2010): 36-45, https://www.foresightfordevelopment.org/sobipro/ 
download-file/46-590/54. 


3.3.3 Cost-benefit analysis 


3.3.3.1 Overview 
Cost-benefit analysis (CBA) is a tool for the allocation of resources and the selection of 
economically efficient policies, monetising all involved costs and benefits. It asks the ques- 
tion of whether a single initiative or more “should be undertaken and, if investable funds 
are limited, which one, two or more among these specific projects that would otherwise 
qualify for admission should be selected”> Put simply, it is “a mathematical tool used by 
decision-makers to determine if the perceived program benefits outweigh expected costs 3 
CBA guides decision-making by making a reference predominantly to profitability,’ in 
this way promoting efficiency understood as effectiveness as the least waste of resources. 
In the context of human rights, even values, if these could be translated into monetary 
terms, they might be better protected, taking into account the costs that occur when rights 
are violated. This approach could provide decision-makers with a more accurate metho- 
dology when human rights are affected. Yet, a criticism of this approach is that it might be 
unsuitable in certain contexts, as placing a monetary value on human life and suffering is 
morally illegitimate.* 
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3.3.3.2 Assessment techniques 


Stephanie Riegg Cellini and James Edwin Kee, “Cost-Effectiveness and Cost-Benefit Analysis,” in 
Handbook of Practical Program Evaluation, eds. Kathryn E. Newcomer, Harry P. Hatry, and Joseph 
S. Wholey (New Jersey: John Wiley & Sons, 2015), https://doi.org/10.1002/9781119171386.ch24. 
Ezra J. Mishan and Euston Quah, Cost-Benefit Analysis (Taylor & Francis, 2007). 

European Commission, Guide to Cost-Benefit Analysis of Investment Projects, Economic appraisal 


tool for Cohesion Policy 2014-2020 (2014), https://ec.europa.eu/regional_policy/sources/docgener/ 
studies/pdf/cba_guide.pdf. 

Michael D. Makowsky and Richard E. Wagner, “From Scholarly Idea to Budgetary Institution: The 
Emergence of Cost-Benefit Analysis,’ Constitutional Political Economy 20, no. 1 (2009), https://doi. 
org/10.1007/s10602-008-9051-7. 

Pamela Misuraca, “The Effectiveness of a Costs and Benefits Analysis in Making Federal Government 
Decisions: A Literature Review,’ Igarss no. 1 (2014), https://doi.org/10.1007/s13398-014-0173-7.2. 
Robert H. Frank, “Why Is Cost-Benefit Analysis so Controversial?” The Journal of Legal Studies 29, 
no. S2 (2000): 913, https://doi.org/10.1086/468099. 


3.3.4 Strengths, Weaknesses, Opportunities, Threats 


3.3.4.1 Overview 

The analysis of strengths, weakness, opportunities and threats (SWOT) is a technique that 
provides the foundation for realisation of the desired alignment of organisational varia- 
bles or issues. By listing favourable and unfavourable, internal and external issues in four 
quadrants of a grid, planners can better understand how strengths can be leveraged to re- 
alise new opportunities and how weaknesses can slow progress or magnify organisational 
threats,’ and hence act to remedy the latter. 

However, other similar types of analyses exist, e.g. that of value, rarity, imitability and 
organisation (VRIO), which is designed to analyse the competitive implications of a firm’s 
internal strengths and weaknesses, making it possibly useful at the micro-level within an 
organisation.” At a more macro level, other analyses, e.g. PEST analysis (political, eco- 
nomic, socio-cultural and technological), with its derivatives (e.g. adding related societal 
concerns, such as legal or environmental ones), as well as the STEPE Framework (Social, 
Technical, Economic, Political, and Ecological) have been developed." 
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3.3.4.2 Assessment techniques 


Hsu-Hsi Chang and Wen-Chih Huang “Application of a Quantification SWOT Analytical Method,” 
Mathematical and Computer Modelling 43, no. 1-2 (2006): 158-69. 

Jay B. Barney, “Looking inside for Competitive Advantage’, Academy of Management Executive 9, 
no. 4 (1995): 49-61. 

John V. Richardson, “A Brief Intellectual History of the STEPE Model or Framework Oe, the Social, 


Technical, Economic, Political, and Ecological)” (Los Angeles: 2016). 

Marilyn M. Helms and Judy Nixon, “Exploring SWOT Analysis - Where Are We Now?" Journal of 
Strategy and Management 3, no. 3: 215-16, https://doi.org/10.1108/17554251011064837. 

A. Paschalidou, M. Tsatiris, K. Kitikidou, C. Papadopoulou, “Methods (SWOT Analysis); in Using 
Energy Crops for Biofuels or Food: The Choice. Green Energy and Technology (Springer, 2018), https:// 
doi.org/10.1007/978-3-319-63943-7_6. 


3.4 Standalone evaluation techniques 
3.4.1 Environmental impact assessment 


3.4.1.1 Overview 

Environmental Impact Assessment (EIA) is the process of identification, description and 
assessment of the direct and indirect effects of a project on: human beings, fauna and flora; 
soil, water, air, climate and the landscape; the interaction of these factors; and on material 
assets and cultural heritage." 

It is used as a tool to identify the environmental, social, and economic impacts of a pro- 
ject prior to decision-making. It aims to predict environmental impacts at an early stage 
in project planning and design, find ways and means to reduce adverse impacts, shape 
projects to suit the local environment, and present the predictions and options available 
to decision-makers. Through use of an EIA, both environmental and economic benefits 
can be achieved, such as reduced cost and time of project implementation and design, 
avoidance of treatment/clean-up costs and a better understanding of the impacts of laws 
and regulations. 

The assessment consists of consecutive steps, namely scoping and screening of key is- 
sues, identification of impacts and analysis of their significance, impact mitigation, and 
monitoring and review. Public participation is highly encouraged.” 
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3.4.1.2 Assessment techniques 


National Environmental Policy Act (NEPA) [United States] 
- Council on Environmental Quality, Regulations for Implementing the Procedural Provisions of 
the National Environmental Policy Act, Washington 2005, https://ceq.doe.gov/laws-regulations/ 


regulations.html. 
Council on Environmental Quality, Collaboration in NEPA. A Handbook for NEPA Practiti- 
oners, Washington 2005, https://www.energy.gov/sites/prod/files/CEQ_Collaboration_in_ 
NEPA_10-2007.pdf. 
A. Lantieri, Z. Lukacova, J. McGuinn, and A. McNeill, Environmental Impact Assessment of Projects. 
Guidance on the preparation of the Environmental Impact Assessment Report (Brussels: 2007), https:// 


ec.europa.eu/environment/eia/pdf/EIA_guidance_EIA_report_final.pdf. 

Bram E Noble, Bram E Introduction to Environmental Impact Assessment. A Guide to Principles and 
Practice (Toronto: Oxford University Press, 2015). 

Randall J., Jowett E. Environmental impact assessment tools and techniques, World Wildlife Fund, 
Inc. and American National Red Cross (2010), https://www.sheltercluster.org/resources/documents/ 
grrt-3-environmental-impact-assessment-tools-and-techniques. 

SISSON project, Final environmental impact assessment (EIA) report, Chapter 5, Methods (2015), 
https://iaac-aeic.gc.ca/050/documents_staticpost/63169/93967/Sisson_EIA_July2013_Section_5-0_ 
EIA_Methods.pdf. 

UNESCO, Environmental Assessment Method, http://www.unesco.org/new/fileadmin/MULTIMEDIA/ 
HQ/CLT/pdf/ucha_Environmental_Assessment_Method_Southampton.pdf. 


3.4.2 Regulatory impact assessment 


3.4.2.1 Overview 

A regulatory impact assessment (or analysis) (RIA) is a systemic approach to critically 
identify, assess and evaluate the positive and negative effects of proposed and existing 
regulations and non-regulatory alternatives. The process of RIA, for example, serves as a 
tool for the European Commission to estimate the economic, social, and environmental 
impacts of legislative proposals, non-legislative initiatives (e.g. financial programs) or im- 
plementing and delegating acts. It promotes informed decision-making and contributes to 
better regulation, but does not substitute policy-making per se. 

The purpose of RIA is at least twofold: on the one hand, for policy-makers to support 
their reasoning as to why a policy option is preferable in terms of necessity, subsidiarity, 
proportionality, and objectives pursued compared to other options, and, on the other, for 
stakeholders (or the general public) to be able to provide feedback during the inception of 
the legislative process. 


239 


Border Control and New Technologies 


3.4.2.2 Assessment techniques 


OECD, “Regulatory Impact Analysis: A Tool for Policy Coherence,’ in Regulatory Impact Analysis: A 
Tool for Policy Coherence (Paris: OECD Publishing, 2009), https://doi.org/10.1787/9789264067110- 
l-en. 

OECD, “Best Practice Principles for Regulatory Impact Analysis,’ in Regulatory Impact Assessment 
(2020), https://www.oecd-ilibrary.org/sites/663f08d9-en/index.html?itemId=/content/compo- 
nent/663f08d9-en. 

European Commission, “Guidelines on impact assessment,’ in Better regulation guidelines (2017), 


https://ec.europa.eu/info/sites/info/files/better-regulation-guidelines-impact-assessment.pdf. 
World Bank Group, Global Indicators of Regulatory Governance: Worldwide Practices of Regulatory 
Impact Assessments (2018), http://documents1.worldbank.org/curated/en/905611520284525814/ 
pdf/Global-Indicators-of-Regulatory-Governance-Worldwide-Practices-of-Regulatory-Impact- 
Assessments.pdf. 

Colin Kirkpatrick and David Parker “Regulatory Impact Assessment: An Overview,’ in Regulato- 
ry Impact Assessment: Towards Better Regulation? (Cheltenham: Edward Elgar Publishing, 2007), 
https://doi.org/10.4337/9781847208774.00007. 


3.4.3 Strategic niche management 


3.4.3.1 Overview 

Strategic niche management is a tool supporting the “societal introduction of radical sus- 
tainable innovations”. In other words, it is a technique designed to “facilitate the intro- 
duction and diffusion of new sustainable technologies through societal experiments. Its 
ultimate aim is to contribute to a broad shift to more sustainable economic development, 
through an integral combination of technological progress and system-wide social-insti- 


tutional transformation”. 


3.4.3.2 Assessment techniques 


e Marjolein C.J. Caniéls and Henny A. Romijn, “Strategic Niche Management: Towards a Policy 
Tool for Sustainable Development,’ Technology Analysis & Strategic Management 20, no. 2 (2008): 
245-66, https://doi.org/10.1080/09537320701711264. 


R. Mourik and Rob Raven, A Practioner’s View on Strategic Niche Management Towards a Future 
Research Outline (Energy research Centre of the Netherlands, 2006), https://publicaties.ecn.nl/ 
PdfFetch.aspx?nr=ECN-E--06-039. 
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3.4.4 Privacy impact assessment 


3.4.4.1 Overview 

Privacy impact assessment (PIA) is the ‘process for assessing the impacts on the funda- 
mental right to privacy of a project, policy, program, service, product or other initiative 
and, in consultation with stakeholders, for taking remedial actions as necessary in order to 
avoid or minimise the negative impacts?” It usually complements the DPIA process, com- 
pensating for the gaps identified where personal data are not processed, but the privacy of 
individuals is interfered with by a particular technology." 

Before the GDPR, and hence before the legal requirement to conduct, in detail, the 
DPIA process, PIA was the only type of assessment pertaining to processing personal data, 
while its scope would extent to all kinds of processing operations and technical and orga- 
nisational measures. For instance, the scope of a PIA included the description of how per- 
sonal data flowed within a project, analysing the possible impacts on individuals’ privacy, 
identifying and recommending options for avoiding, minimising, or mitigating negative 
privacy impacts, building privacy considerations into the design of a project, etc. All these 
steps are nowadays embedded in the DPIA process, which lists in detail all the obligations 
of the data controller, while the PIA process is employed as a tool for assessing the impacts 
on the fundamental right to privacy. 


3.4.4.2 Assessment techniques 


CNIL, Privacy Impact Assessment (PIA). Templates (Paris: 2018), https://www.cnil.fr/sites/default/ 
files/atoms/files/cnil-pia-2-en-templates.pdf. 

CNIL, Privacy Impact Assessment (PIA). Methodology (Paris: 2018), https://www.cnil.fr/sites/default/ 
files/atoms/files/cnil-pia-1-en-methodology.pdf. 

EL. Makri, Z. Georgiopoulou, and C. Lambrinoudakis, “A Proposed Privacy Impact Assessment 
Method Using Metrics Based on Organizational Characteristics, in Computer Security. CyberICPS 


2019, SECPRE 2019, SPOSE 2019, ADIoT 2019. Lecture Notes in Computer Science, vol 11980, eds. S. 
Katsikas et al., (Springer, 2020), https://doi.org/10.1007/978-3-030-42048-2_9. 
Marie Caroline Oetzel and Sarah Spiekermann, “A systematic methodology for privacy impact 


assessments: a design science approach,” European Journal of Information Systems 23, no. 2 (2014): 
126-150, https://doi.org/10.1057/ejis.2013.18. 

Office of the Privacy Commissioner of Canada’s, Guide to the Privacy Impact Assessment Process 
(2020), https://www.priv.gc.ca/en/privacy-topics/privacy-impact-assessments/gd_exp_202003/. 
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e Konstantina Vemou and Maria Karyda, “An evaluation framework for privacy impact assessment 
methods,” Conference: 12th Mediterranean Conference on Information Systems (MCIS2018) 
(2018), https://www.researchgate.net/publication/326723199_An_evaluation_framework_for_ 


privacy_impact_assessment_methods. 
David Wright and Paul Hert, “Introduction to Privacy Impact Assessment,’ in Privacy Impact As- 
sessment (Dordrecht: Springer, 2012), 3-32, https://doi.org/10.1007/978-94-007-2543-0. 


3.4.5 Health impact assessment 


3.4.5.1 Overview 

A health impact assessment (HIA), or, increasingly frequently, health technology assess- 
ment, is a ‘systematic study of the consequences of the (introductory or continued) use of 
a technology in a particular context. Health impact assessment owes its emergence to gaps 
in existing mechanisms for the promotion of health in institutional decision-making. A 
health impact assessment seeks to improve the quality of policy decisions by evaluating 
any positive or negative health impacts and making recommendations to maximise those 
deemed positive and mitigate those deemed negative. When properly utilised, health im- 
pact assessments recommend options for alternative decisions and mitigation strategies, 
with the aim of ensuring that any decisions made will protect and promote the populati- 
os health. 


3.4.5.2 Assessment techniques 


Björn Hofmann, “On Value-Judgements and Ethics in Health Technology Assessment,” Poiesis & 
Praxis 3, no. 4 (2005): 278, https://doi.org/10.1007/s10202-005-0073-1. 

Jennifer S. Mindell, Anna Boltong, and Ian Forde, “A Review of Health Impact Assessment Frame- 
works,’ Public Health 122, no. 11 (2008): 1177-87, https://doi.org/10.1016/j.puhe.2008.03.014. 


World Health Organization. “WHO | Impact Assessment - Directory of References/Resources” 
(2010), http://www.who.int/heli/impacts/impactdirectory/en/index1.html. 

David Banta, Finn Borlum Kristensen, and Egon Jonsson, “A History of Health Technology Assess- 
ment at the European Level,’ International Journal of Technology Assessment in Health Care 25, no. 1 
(2009): 68-73. https://doi.org/10.1017/S0266462309090448. 


242 


Annex 3 


3.4.6 Ethics impact assessment 


3.4.6.1 Overview 

An ethics impact assessment (eIA) is a process during which an organisation, together 

with stakeholders, considers the ethical issues or impacts posed by a new project, tech- 

nology, service, program, piece of legislation, or other initiative, in order to identify risks 
and solutions. 

The steps for conducting an ethics impact assessment could be: a) a decision on which 
methods should be used, b) a contingency analysis to evaluate the likelihood of ethical 
impacts, c) assessment of the relative importance of ethical impacts, including identifica- 
tion of potential or actual value conflicts, and e) clarification of the ethical impacts and the 
related ethical values/principles and formulation of workable conceptualisations.”” 

In addition, Reijers et al. has recently identified, through a systematic literature review, 
thirty-five different methods to “practice ethics in research and innovation” and arranged 
them into three groups: “(1) ex ante methods, dealing with emerging technologies, (2) in- 
tra methods, dealing with technology design, and (3) ex post methods, dealing with ethical 
analysis of existing technologies”.”! 

Amongst these, the following are worthy of special mention: 

e  Value-Sensitive Design. Since the revelation that ethical values can be embedded into 
the process of design of, for example, a technology,” many methods to do so have 
surfaced. One of them is the Value-Sensitive Design, which is a method of “design 
of a future system in which values of ethical importance are systematically explored 
throughout the design process to be included in the technical content of the system.” 

e  Care-Centred Value-Sensitive Design. A variant thereof, applicable to products and 
services for medical care, it “provides both an outline of the components demanding 
ethical attention as well as a step-by-step manner in which such considerations may 
proceed throughout the design process of a robot: beginning from the moment of idea 
generation and throughout the design of various prototypes”. 

e Responsible Research and Innovation. This is a “transparent, interactive process by 
which societal actors and innovators become mutually responsive to each other with 
a view on the (ethical) acceptability, sustainability and societal desirability of the in- 
novation process and its marketable products (in order to allow a proper embedding 
of scientific and technological advances in our society)”. This concept is built on “six 
distinct dimensions termed as follows: engagement, gender equality, science educati- 
on, ethics, open access and governance”.”* Since its inception, the concept of Respon- 
sible Research and Innovation has become an underlying concept for all European 
Union funding for research and innovation.” 
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3.4.6.2 Assessment techniques 


Aimee van Wynsberghe, “A Method for Integrating Ethics into the Design of Robots,’ Industrial 
Robot: An International Journal 40, no. 5 (2013): 438, https://doi.org/10.1108/IR-12-2012-451. 

Asle H. Kiran, Nelly Oudshoorn, and Peter-Paul Verbeek, “Beyond Checklists: Toward an Ethical- 
Constructive Technology Assessment,” Journal of Responsible Innovation 2, no. 1 (2015): 5-19, 
https://doi.org/10.1080/23299460.2014.992769. 

Batya Friedman, Peter Kahn, and Alan Borning, Value Sensitive Design: Theory and Methods (Uni- 
versity of Washington Technical, 2002), https://faculty.washington.edu/pkahn/articles/vsd-theory- 
methods-tr.pdf. 

Elin Palm and Sven Ove Hansson, “The Case for Ethical Technology Assessment (ETA); Technologi- 
cal Forecasting and Social Change 73, no. 5 (2006), https://doi.org/10.1016/j.techfore.2005.06.002. 
Gill Ringland, “The Role of Scenarios in Strategic Foresight,” Technological Forecasting and Social 
Change 77, no. 9 (2010), https://doi.org/10.1016/j.techfore.2010.06.010. 

High-Level Expert Group on Artificial Intelligence, The Assessment List for Trustworthy Artificial 
Intelligence (2020), https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=60419. 

Tsjalling Swierstra and Arie Rip, “Nano-Ethics as NEST-Ethics: Patterns of Moral Argumenta- 

tion about New and Emerging Science and Technology,’ NanoEthics 1, no. 1 (2007), https://doi. 
org/10.1007/s11569-007-0005-8. 

Wessel Reijers et. al, A Common Framework for Ethical Impact Assessment’, Stakeholders Acting To- 
gether on the Ethical Impact Assessment of Research and Innovation (SATORI Project, 2016), https:// 
satoriproject.eu/media/D4.1_Annex_1_EIA_Proposal.pdf. 


3.4.7 Human rights impact assessment 


3.4.7.1 Overview 

A human rights impact assessment (HRIA) can be defined as a continuous process for 
identifying, comprehending, evaluating and addressing the adverse effects emerging from 
a business project or from activities on the enjoyment of human rights enjoyment by im- 
pacted rights-holders, such as workers and community members. It is a relatively new 
field of impact assessment, compared to the environmental impact assessment or the so- 
cial impact assessment. 
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3.4.7.2 Assessment techniques 


Business for Social Responsibility, Conducting an Effective Human Rights Impact Assessment Guide- 
lines, Steps, and Examples (2013), http://www.bsr.org/reports/BSR_Human_Rights_Impact_Assess- 
ments.pdf. 


James Harrison, “Measuring Human Rights: Reflections on the Practice of Human Rights Impact 
Assessment and Lessons for the Future, Warwick School of Law Research Paper No. 2010/26 (2010), 
http://dx.doi.org/10.2139/ssrn.1706742. 

Nora Gétzmann, Tulika Bansal, Elin Wrzoncki, Cathrine Poulsen-Hansen, Jacqueline Tedaldi, and 
Roya Høvsgaard, Human rights impact assessment guidance and toolbox (The Danish Institute for 
Human Rights, 2016), https://www.humanrights.dk/sites/humanrights.dk/files/media/dokumenter/ 
business/hria_toolbox/hria_guidance_and_toolbox_final_feb2016.pdf. 

Nordic Trust Fund and The World Bank, Study on Human Rights Impact Assessments: A Review of 
the Literature, Differences with other Forms of Assessments and Relevance for Development (2013) 
https://documents1.worldbank.org/curated/en/834611524474505865/pdf/125557-W P-PUBLIC- 
HRIA-Web.pdf. 

Alessandro Mantelero, “AI and Big Data: A Blueprint for a Human Rights, Social and Ethical 
Impact Assessment,’ Computer Law & Security Review 34, no. 4 (2018): 754-772, https://ssrn.com/ 
abstract=3225749. 


3.4.8 Social impact assessment 


3.4.8.1 Overview 

Social impact assessment (SIA) is the process of identifying and managing the social im- 
pacts of envisaged projects. It includes the processes of analysing, monitoring, and ma- 
naging the intended and unintended social consequences, both positive and negative, of 
planned interventions (including, but not limited to, policies, programs, plans and pro- 
jects) and any social change processes invoked by those interventions. It is used to predict 
and mitigate negative impacts and identify opportunities to enhance benefits for local 
communities and broader society. 

The process of an SIA might be both quantitative (statistical) and qualitative (obser- 
vation, interviews, case studies etc.). It begins with the identification of needs and social 
problems, participants, and beneficiaries. It continues with the description of action and 
the initial conditions. It then establishes methods of interaction with affected groups and 
gauges each alternative. Furthermore, it measures the direct impact of the project, as well 
as indirect and cumulative impacts. It concludes with recommendations and a plan to 
counter the impact of undesirable social effects.”* 
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3.4.8.2 Assessment techniques 


Raluca Antonie, “Social Impact Assessment Models,’ Transylvanian Review of Administrative Scien- 
ces 29E (2010), https://rtsa.ro/tras/index.php/tras/article/view/39. 

Leon Hempel, Lars Ostermeier, Tobias Schaaf, and Dagny Vedder, “Towards a Social Impact 
Assessment of Security Technologies: A Bottom-up Approach,” Science and Public Policy 40 (2013): 
740-54, https://doi.org/10.1093/scipol/sct086. 


Henk Becker and Frank Vanclay, The International Handbook of Social Impact Assessment (Chelten- 
ham: Edward Elgar, 2003), https://doi.org/10.4337/9781843768616. 
Frank Vanclay, Ana Maria Esteves, Ilse Aucamp, and Daniel M. Franks. Social Impact Assessment: 


Guidance for Assessing and Managing the Social Impacts of Projects (Fargo: International Association 
for Impact Assessment 2015), https://espace.library.ugq.edu.au/view/UQ:355365. 


3.4.9 Technology assessment 


3.4.9.1 Overview 

Technology assessment (TA) is defined as a class of policy studies that systematically exa- 
mine the effects on society that may occur when a technology is introduced, extended or 
modified. It places an emphasis on those consequences that are unintended, indirect or 
delayed.” 

Technology assessment follows the same pattern, with identification of the technology 
under assessment and affected stakeholders. It continues with an analysis of the precise 
functionality of the technology and the extent to which it serves its purpose, and finishes 
with appropriate documentation and a review. 

Among the modes of understanding and performing a TA, four approaches are promi- 
nent: the classical TA (informing the political sphere about a technology), the participa- 
tory TA (enabling the interaction between politicians and society), the argumentative TA 
(informing about the core values driving science and technology), and the constructive 
TA (bridging the gap between society and science and technology).*” 
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3.4.9.2 Assessment techniques 


Armin Grunwald, “Technology Assessment: Concepts and Methods,” in Philosophy of Technology 
and Engineering Sciences, ed. Anthonie Meijers (Amsterdam: Elsevier, 2009), 1103-46, https://doi. 
org/10.1016/B978-0-444-51667-1.50044-6. 

Joseph F. Coates, “Some methods and techniques for comprehensive impact assessment,’ Technolo- 
gical Forecasting and Social Change 6 (1974): 341-57, https://doi.org/10.1016/0040-1625(74)90035-3. 
Rinie van Est, “The Rathenau Institute’s approach to participatory Technology Assessment,’ TA-Da- 
tenbank Nachrichten 9, no. 3 (2000): 13-20, https://research.tue.nl/en/publications/the-rathenau-in- 
stitutes-approach-to-participatory-technology-asse. 

Jan Van Den Ende, Karel Mulder, Marjolijn Knot, Ellen Moors, Philip Vergragt, “Traditional and 
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Annex 4: Inventory of 
relevant EU legal and 
regulatory instruments 
for border management! 


Alessandra CALVI 


Vrije Universiteit Brussel. E-mail: alessandra.calvi@vub.be. 


Primary law 


e Treaty on the European Union? 


in particular: Article 3(2) 


e Treaty on the Functioning of the European Union? 


in particular: Title V Area of Freedom, Security and Justice 

Protocol (No. 19) on the Schengen acquis integrated into the framework of the 
European Union 

Protocol (No. 21) on the position of the United Kingdom and Ireland in respect 
of the area of freedom, security and justice 

Protocol (No. 22) on the position of Denmark 

Protocol (No. 23) on external relations of the Member States with regard to the 
crossing of external borders 

Protocol (No. 24) on asylum for nationals of Member States of the European Union 
Declaration (36) on Article 218 of the Treaty on the Functioning of the European 
Union concerning the negotiation and conclusion of international agreements by 
Member States relating to the area of freedom, security and justice 


e Charter of Fundamental Rights of the European Union‘ 


DOI: 10.46944/9789461171375.a4 
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Secondary law 


Schengen and Schengen Information System (SIS) 


Agreement between the Governments of the States of the Benelux Economic Union, 
the Federal Republic of Germany and the French Republic on the gradual abolition of 
checks at their common borders (14 June 1985)° 

Convention Implementing the Schengen Agreement of 14 June 1985 between the Go- 
vernments of the States of the Benelux Economic Union, the Federal Republic of Ger- 
many and the French Republic, on the gradual abolition of checks at their common 
borders (19 June 1990)‘ 

Regulation (EC) No. 1986/2006 of the European Parliament and of the Council of 
20 December 2006 regarding access to the second-generation Schengen Information 
System (SIS II) by the services in the Member States responsible for issuing vehicle 
registration certificates (cooperation on vehicle registration)’ 

Regulation (EC) No. 1987/2006 of the European Parliament and of the Council of 
20 December 2006 on the establishment, operation and use of the second-generation 
Schengen Information System (SIS II) (border control cooperation)’ 

Annex to the Commission Recommendation establishing a common “Practical 
Handbook for Border Guards” to be used by Member States’ competent authorities 
when carrying out the border control of persons and replacing Commission Recom- 
mendation C(2006) 5186 of 6 November 2006 [C(2019) 7131 final] 

Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and 
use of the second-generation Schengen Information System (SIS II) (law enforcement 
cooperation)? 

Commission Decision 2010/261/EU of 4 May 2010 on the Security Plan for Central 
SIS II and the Communication Infrastructure” 

Regulation (EU) 2016/399 of the European Parliament and of the Council of 
9 March 2016 on a Union Code on the rules governing the movement of persons 
across borders (Schengen Borders Code)" 

Commission Implementing Decision 2013/115/EU of 26 February 2013 on the Sirene 
Manual and other implementing measures for the second generation Schengen Infor- 
mation System (SIS II)” 

Commission Implementing Decision (EU) 2017/1528 of 31 August 2017 replacing 
the Annex to Implementing Decision 2013/115/EU on the SIRENE Manual and other 
implementing measures for the second generation Schengen Information System 
(SIS I1)” [C(2017) 5893] 

Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 No- 
vember 2018 on the use of the Schengen Information System for the return of illegally 
staying third-country nationals 
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Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 No- 
vember 2018 on the establishment, operation and use of the Schengen Information Sys- 
tem (SIS) in the field of border checks, and amending the Convention implementing the 
Schengen Agreement, and amending and repealing Regulation (EC) No. 1987/2006" 
Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 No- 
vember 2018 on the establishment, operation and use of the Schengen Information 
System (SIS) in the field of police cooperation and judicial cooperation in criminal 
matters, amending and repealing Council Decision 2007/533/JHA, and repealing Re- 
gulation (EC) No. 1986/2006 of the European Parliament and of the Council and 
Commission Decision 2010/261/EU'® 

Proposal COM(2020) 791 final [2020/0350(COD)] for a Regulation of the European 
Parliament and of the Council amending Regulation (EU) 2018/1862 on the establis- 
hment, operation and use of the Schengen Information System (SIS) in the field of 
police cooperation and judicial cooperation in criminal matters as regards the entry 
of alerts by Europol 


Visa Information System (VIS) 


Council Decision 2004/512/EC of 8 June 2004 establishing the Visa Information System 
(VIS)"” 

Regulation (EC) No. 767/2008 of the European Parliament and of the Council of 
9 July 2008 concerning the Visa Information System (VIS) and the exchange of data 
between Member States on short-stay visas (VIS Regulation)'* 

Council Decision 2008/633/JHA of 23 June 2008 concerning access for consultation 
of the Visa Information System (VIS) by designated authorities of Member States and 
by Europol for the purposes of the prevention, detection and investigation of terrorist 
offences and of other serious criminal offences? 

Regulation (EC) No. 810/2009 of the European Parliament and of the Council of 
13 July 2009 establishing a Community Code on Visas” 

Commission Decision 2006/648/EC of 22 September 2006 laying down the technical 
specifications on the standards for biometric features related to the development of 
the Visa Information System” [C(2006) 3699] 

Commission Implementing Decision amending Commission Decision No. C(2010) 
1620 final of 19 March 2010 establishing the Handbook for the processing of visa ap- 
plications and the modification of issued visa (“Visa Handbook”) [C(2019) 3464 final] 
Proposal COM(2018) 302 final [2018/0152(COD)] Proposal for a Regulation of the 
European Parliament and of the Council amending Regulation (EC) No. 767/2008, Re- 
gulation (EC) No. 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, 
Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and 
repealing Council Decision 2008/633/JHA 
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European Dactyloscopy (Eurodac) 


D 


Regulation (EU) No. 604/2013 of the European Parliament and of the Council of 
26 June 2013 establishing the criteria and mechanisms for determining the Member 
State responsible for examining an application for international protection lodged in 
one of the Member States by a third-country national or a stateless person (recast)” 
Regulation (EU) No. 603/2013 of the European Parliament and of the Council of 
26 June 2013 on the establishment of ‘Eurodac for the comparison of fingerprints 
for the effective application of Regulation (EU) No. 604/2013 establishing the crite- 
ria and mechanisms for determining the Member State responsible for examining 
an application for international protection lodged in one of the Member States by a 
third-country national or a stateless person and on requests for the comparison with 
Eurodac data by Member States’ law enforcement authorities and Europol for law 
enforcement purposes, and amending Regulation (EU) No. 1077/2011 establishing 
a European Agency for the operational management of large-scale IT systems in the 
area of freedom, security and justice” 

Commission Regulation (EC) No. 1560/2003 of 2 September 2003 laying down de- 
tailed rules for the application of Council Regulation (EC) No. 343/2003 establishing 
the criteria and mechanisms for determining the Member State responsible for exa- 
mining an asylum application lodged in one of the Member States by a third-country 
national” 

Proposal COM(2016)0272 final [2016/0132 (COD)] for a Regulation of the European 
Parliament and of the Council for a on the establishment of ‘Eurodac for the com- 
parison of fingerprints for the effective application of [Regulation (EU) No. 604/2013 
establishing the criteria and mechanisms for determining the Member State respon- 
sible for examining an application for international protection lodged in one of the 
Member States by a third-country national or a stateless person] , for identifying an 
illegally staying third-country national or stateless person and on requests for the 
comparison with Eurodac data by Member States’ law enforcement authorities and 
Europol for law enforcement purposes (recast) 

Amended proposal COM(2020) 614 final [2016/0132(COD)] for a Regulation of the 
European Parliament and of the Council on the establishment of ‘Eurodac for the 
comparison of biometric data for the effective application of Regulation (EU) XXX/ 
XXX [Regulation on Asylum and Migration Management] and of Regulation (EU) 
XXX/XXX [Resettlement Regulation], for identifying an illegally staying third-coun- 
try national or stateless person and on requests for the comparison with Eurodac 
data by Member States’ law enforcement authorities and Europol for law enforcement 
purposes and amending Regulations (EU) 2018/1240 and (EU) 2019/818 

Proposal COM(2020) 612 final [2020/0278(COD)] for a Regulation of the European 
Parliament and of the Council introducing a screening of third country nationals at 
the external borders and amending Regulations (EC) No. 767/2008, (EU) 2017/2226, 
(EU) 2018/1240 and (EU) 2019/817 
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Entry-Exit System (EES) 


Regulation (EU) 2017/2225 of the European Parliament and of the Council of 30 No- 
vember 2017 amending Regulation (EU) 2016/399 as regards the use of the Entry/ 
Exit System” 

Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 No- 
vember 2017 establishing an Entry/Exit System (EES) to register entry and exit data 
and refusal of entry data of third-country nationals crossing the external borders of 
the Member States and determining the conditions for access to the EES for law enfor- 
cement purposes, and amending the Convention implementing the Schengen Agree- 
ment and Regulations (EC) No. 767/2008 and (EU) No. 1077/2011% 

Commission Implementing Decision (EU) 2018/1547 of 15 October 2018 laying 
down the specifications for the connection of the central access points to the Entry/ 
Exit System (EES) and for a technical solution to facilitate the collection of data by 
Member States for the purpose of generating statistics on the access to the EES data 
for law enforcement purposes” 

Commission Implementing Decision (EU) 2019/326 of 25 February 2019 laying 
down measures for entering the data in the Entry/Exit System (EES) 

Commission Implementing Decision (EU) 2019/329 of 25 February 2019 laying 
down the specifications for the quality, resolution and use of fingerprints and facial 
image for biometric verification and identification in the Entry/Exit System (EES)” 


European Travel Information and Authorization System (ETIAS) 


Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 Sep- 
tember 2018 establishing a European Travel Information and Authorization System 
(ETIAS) and amending Regulations (EU) No. 1077/2011, (EU) No. 515/2014, (EU) 
2016/399, (EU) 2016/1624 and (EU) 2017/2226” 

Regulation (EU) 2018/1241 of the European Parliament and of the Council of 12 Sep- 
tember 2018 amending Regulation (EU) 2016/794 for the purpose of establishing a 
European Travel Information and Authorization System (ETIAS)*! 


European Criminal Records Information System for Third Country Nationals (ECRIS- 
TCN) 


Council Framework Decision 2009/315/JHA of 26 February 2009 on the organisation 
and content of the exchange of information extracted from the criminal record bet- 
ween Member States"? 

Council Decision 2009/316/JHA of 6 April 2009 on the establishment of the European 
Criminal Records Information System (ECRIS) in application of Article 11 of Frame- 
work Decision 2009/315/JHA*® 

Regulation (EU) 2019/816 of the European Parliament and of the Council of 
17 April 2019 establishing a centralised system for the identification of Member States 
holding conviction information on third-country nationals and stateless persons 
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(ECRIS-TCN) to supplement the European Criminal Records Information System 
and amending Regulation (EU) 2018/1726" 

Directive (EU) 2019/884 of the European Parliament and of the Council of 
17 April 2019 amending Council Framework Decision 2009/315/JHA, as regards the 
exchange of information on third-country nationals and as regards the European 
Criminal Records Information System (ECRIS), and replacing Council Decision 
2009/316/JHA* 


Interoperability 


D 


Regulation (EU) 2019/817 of the European Parliament and of the Council of 
20 May 2019 on establishing a framework for interoperability between EU infor- 
mation systems in the field of borders and visa and amending Regulations (EC) 
No. 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and 
(EU) 2018/1861 of the European Parliament and of the Council and Council Decisi- 
ons 2004/512/EC and 2008/633/JHA* 

Regulation (EU) 2019/818 of the European Parliament and of the Council of 
20 May 2019 on establishing a framework for interoperability between EU informati- 
on systems in the field of police and judicial cooperation, asylum and migration and 
amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816% 


Priim Convention 


D 


Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border 
cooperation, particularly in combating terrorism and cross-border crime* 

Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 
2008/615/JHA on the stepping up of cross-border cooperation, particularly in com- 
bating terrorism and cross-border crime?’ 


European Border Surveillance System (Eurosur) 


D 


Regulation (EU) No. 1052/2013 of the European Parliament and of the council of 
22 October 2013 establishing the European Border Surveillance System (Eurosur)” 
Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 No- 
vember 2019 on the European Border and Coast Guard and repealing Regulations 
(EU) No. 1052/2013 and (EU) 2016/1624" 


Passenger Name Records (PNR) 


D 


Directive (EU) 2016/681 of the European Parliament and of the Council of 
27 April 2016 on the use of passenger name record (PNR) data for the prevention, 
detection, investigation and prosecution of terrorist offences and serious crime” 

Passenger name records (PNR) Updated list of Member States who have decided the 
application of the PNR Directive to intra-EU flights as referred to in Article 2 of Di- 
rective (EU) 2016/681 of the European Parliament and of the Council on the use of 
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passenger name record (PNR) data for the prevention, detection, investigation and 
prosecution of terrorist offences and serious crime 

e Passenger name records (PNR) — Passenger Information Units — List of the Pas- 
senger Information Units referred to in Article 4 of Directive (EU) 2016/681 of the 
European Parliament and of the Council on the use of passenger name record (PNR) 
data for the prevention, detection, investigation and prosecution of terrorist offences 
and serious crime“ 

e Agreement between the European Union and Australia on the processing and trans- 
fer of Passenger Name Record (PNR) data by air carriers to the Australian Customs 
and Border Protection Service"? 

e Agreement between the United States of America and the European Union on the use 
and transfer of passenger name records to the United States Department of Homeland 
Security*® 


API 
e Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to com- 
municate passenger data!" 


Dual-use 
e Regulation (EC) No. 428/2009 of 5 May 2009 setting up a Community regime for the 
control of exports, transfer, brokering and transit of dual-use items® 


Unmanned aircraft systems 

e Commission Delegated Regulation (EU) 2019/945 of 12 March 2019 on unmanned 
aircraft systems and on third-country operators of unmanned aircraft systems” 

e Commission Implementing Regulation (EU) 2019/947 of 24 May 2019 on the rules 
and procedures for the operation of unmanned aircraft? 


Passports 

e Council Regulation (EC) No. 2252/2004 of 13 December 2004 on standards for se- 
curity features and biometrics in passports and travel documents issued by Member 
States 

e International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Tra- 
vel Documents, 7th edition, 20157 


Identity cards 

e Regulation (EU) 2019/1157 of the European Parliament and of the Council of 
20 June 2019 on strengthening the security of identity cards of Union citizens and of 
residence documents issued to Union citizens and their family members exercising 
their right of free movement” applicable from 2 August 2021 

e ICAO Doc 9303 Machine Readable Travel Documents, 7th edition, 2015 
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EU bodies and agencies 


D 


Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 No- 
vember 2018 on the European Union Agency for the Operational Management of 
Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and 
amending Regulation (EC) No. 1987/2006 and Council Decision 2007/533/JHA and 
repealing Regulation (EU) No. 1077/2011°° 

Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 No- 
vember 2019 on the European Border and Coast Guard and repealing Regulations 
(EU) No. 1052/2013 and (EU) 2016/1624 

Regulation (EU) No. 439/2010 of the European Parliament and of the Council of 
19 May 2010 establishing a European Asylum Support Office” 

Regulation (EU) 2016/794 of the European Parliament and of the Council of 
11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Eu- 
ropol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 
2009/935/JHA, 2009/936/JHA and 2009/968/JHA* 

Proposal COM(2020)796 final [2020/0349(COD)] for a Regulation of the European 
Parliament and of the Council amending Regulation (EU) 2016/794, as regards Eu- 
ropol’s cooperation with private parties, the processing of personal data by Europol 
in support of criminal investigations, and Europol’s role on research and innovation 
Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 No- 
vember 2018 on the European Union Agency for Criminal Justice Cooperation (Eu- 
rojust), and replacing and repealing Council Decision 2002/187/JHA” 
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